I do believe it is not Migmaf, but Download.Trojan.PSK, which downloads an IRC bot. Symantec's description is too skimpy - I guess they kept it generic in case the same trojan code is distributed using a different message or method. http://www.sarc.com/avcenter/venc/data/download.trojan.psk.html McAfee has the most complete posted description I've seen so far. They call it Downloader-DK. http://vil.mcafee.com/dispVirus.asp?virus_k=100512 > -----Original Message----- > From: Dowling, Gabrielle [mailto:dowlinggat_private] > Sent: Monday, July 28, 2003 12:28 AM > To: Michael J. Pomraning; incidentsat_private > Subject: RE: email worm? Newsletter, aaa.exe, caraoke ksp.exe > > > Yes, MessageLabs reported on this on Friday, it appears to be the > reverse proxy trojan that Symantec describes as Migmaf, other vendors > describe it differently. > > Gaby > > -----Original Message----- > From: Michael J. Pomraning [mailto:mjpat_private] > Sent: Saturday, July 26, 2003 9:37 AM > To: incidentsat_private > Subject: email worm? Newsletter, aaa.exe, caraoke ksp.exe > > > Hello, > > I last night got a spoofed email inviting me to open its .zip > attachment, a .htm containing a base64-encoded file aaa.exe > followed by > an "Exploit-Codebase" (NAI's classification) javascript springload: > > sender: adminat_private > subject: Newsletter > attachment: readme.zip > | > +--> readme.htm --> { aaa.exe (MIME/b64) + > "Exploit-CodeBase" } > > Strings from aaa.exe suggest that it wants to fetch a fixed URL -- > http://64.246.56.74/~caraoke/ksp.exe. This one, in turn, has Windows > socket strings. I've not run either, and neither exe was > identified by > an up-to-date Sophos scanner. > > Is this a known backdoor, pr0n agent, or similar? I don't have a > windows MUA to test with, but I'm assuming it requires manual > intervention (unzip the .zip, view the .htm) to trigger, so its spread > may be limited. > > Google didn't turn up much, and Google Groups (searching for > the sender) > puts this mail in it.news.net-abuse and perl.modules since yesterday. > Looks like this one doesn't vary sender/subject/etc. The > complete mail > is available at > > > http://groups.google.com/groups?selm=B5K823L43FF13H63%40securi ty.org&oe= csn_369103&output=gplain Regards, Mike -- Michael J. Pomraning, CISSP Project Manager, Infrastructure SecurePipe, Inc. - Managed Internet Security ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- ********************************************************************** This e-mail is sent by a law firm and contains information that may be privileged and confidential. If you are not the intended recipient, please delete the e-mail and notify us immediately. *********************************************************************** ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ----
This archive was generated by hypermail 2b30 : Mon Jul 28 2003 - 12:49:03 PDT