Re: klez variant??

From: Nick FitzGerald (nick@virus-l.demon.co.uk)
Date: Fri Jan 31 2003 - 19:19:11 PST

Next message: Hugo van der Kooij: "Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"

Previous message: H D Moore: "Re: /sumthin Revisited"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Peter Snell <PSnellat_private> wrote:

> Over the past 2 days, we have been seeing a resurgence of Klez type
> activity.  However, this appears to be getting past our a/v software.  The
> symptoms we see are:
> 
> - spoofed email address
> - unusual subject
> - no body
> - attachments with .scr, .bat, .exe, .jpg extensions (there may be others,
> but this is what we've examined so far)
> - when the email is opened, even in preview pane, it launches Media Player
> but is unable to find the specified file.
> 
> Has anyone else seen this type of activity lately, or have any thoughts on
> this?

I've not looked into the details of this in the lab, but might what 
you're describing be related to this recent warning from MessageLabs 
about Outlook weirdness with specially formulated "triple extension" 
filenames in MIME atatchments??

   http://www.messagelabs.com/viruseye/report.asp?id=130

   Outlook quirks being exploited by viruses and trojans

   With the advances being made in content filtering techniques, virus
   authors and trojan writers are now resorting to exploiting the 
   veiled quirkiness of our email software to further consolidate 
   their social engineering tactics.

   ...

If you still have a copy of one of those Emails, you may also 
consider forwarding it to your preferred AV developers for further 
analysis in case there is obfuscated malware included.  Here is a 
list of the sample submission addresses of the better known AV 
developers to save you looking them up:

   Command Software             <virusat_private>
   Computer Associates (US)     <virusat_private>
   Computer Associates (Vet/EZ) <ipevirusat_private>
   DialogueScience (Dr. Web)    <Antivirat_private>
   Eset (NOD32)                 <sampleat_private>
   F-Secure Corp.               <samples@f-secure.com>
   Frisk Software (F-PROT)      <viruslab@f-prot.com>
   Grisoft (AVG)                <virusat_private>
   H+BEDV (AntiVir):            <virusat_private>
   Kaspersky Labs               <newvirusat_private>
   Network Associates (McAfee)  <virus_researchat_private>
   Norman (NVC)                 <analysisat_private>
   Sophos Plc.                  <supportat_private>
   Symantec (Norton)            <avsubmitat_private>
   Trend Micro (PC-cillin)      <virus_doctorat_private>
     (Trend may only accept files from registered users of its products)

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Hugo van der Kooij: "Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Previous message: H D Moore: "Re: /sumthin Revisited"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Feb 02 2003 - 08:47:57 PST