[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[no subject]
- <!--x-content-type: text/plain -->
- <!--x-date: Fri Mar 5 11:22:10 2004 -->
- <!--x-from-r13: xnobbz ng tngrpu.rqh (Quevf Dvpxre) -->
- <!--x-message-id: [email protected] -->
- <!--x-reference: Pine.LNX.4.44.0403051046090.11604-[email protected] --> "http://www.w3.org/TR/html4/loose.dtd">
- <!--x-subject: [ale] (fwd) Is this a trojan/worm? -->
- <li><em>date</em>: Fri Mar 5 11:22:10 2004</li>
- <li><em>from</em>: kaboom at gatech.edu (Chris Ricker)</li>
- <li><em>in-reply-to</em>: <<a href="msg00102.html">[email protected]</a>></li>
- <li><em>references</em>: <<a href="msg00102.html">[email protected]</a>></li>
- <li><em>subject</em>: [ale] (fwd) Is this a trojan/worm?</li>
>
> Well this showed up in the mail spool this morning. It is obvious social
> engineering here, as I run this domain, but I'm usure what these turkeys
> are trying to do. Pine didn't bring all the headers forward, but I can get
> them to you if you want it.
>
> Anybody recognize this garbage??
It's a W32.Bagle at MM (sometimes spelled Beagle) Windows email / Windows user
exploit. It's stored in a password-protected zip file attached to an email
which contains the password in the email body. There are enough clueless
users that read the password, unzip the attachment, and execute the
attachment that it's spreading very well.
Because the zip is password-encrypted, it eludes some email virus scanners.
You can filter it pretty easily using body_checks if you like, or you can
patch amavis-new easily to read the password, unzip the attachment, and
then run whatever virus scanner you have hooked into amavis over it....
later,
chris
</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00102" href="msg00102.html">[ale] (fwd) Is this a trojan/worm?</a></strong>
<ul><li><em>From:</em> tfreeman at intel.digichem.net (tfreeman at intel.digichem.net)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00103.html">[ale] bacula</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00105.html">[ale] [OT] Anybody use iTunes?</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00102.html">[ale] (fwd) Is this a trojan/worm?</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00108.html">[ale] (fwd) Is this a trojan/worm?</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00104"><strong>Date</strong></a></li>
<li><a href="threads.html#00104"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>