Re: [Declude.Virus] RE Mass mailing maybe new virus

[Greg Little]

Looks like a match for this new worm W32/Wallon.worm.a http://vil.nai.com/vil/content/v_125096.htm The message body simply contains a hyperlink, which is designed to trick users into thinking that they are going to a Yahoo News site, when in fact they are redirected to a page on the www..security-warning..biz domain. Extra "."s added to address. Greg Email Admin wrote: Hello Our Mail server recevied a mass mailing earlier today. The email is address to [EMAIL PROTECTED] and is coming from [EMAIL PROTECTED] Copy of headers: Received: from mail.citravel.com [10.215.43.52] by citravel.com   (SMTPD32-8.11) id A06E595011C; Tue, 11 May 2004 11:25:34 -0400 From: mail.citravel.com<[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: RE: X-Mailer: Microsoft Outlook Mime-Version: 1.0 Content-Type: text/html; charset=us-ascii Message-Id: <[EMAIL PROTECTED]> X-Declude-Sender: [EMAIL PROTECTED] [10.215.43.52] X-Declude-Spoolname: Df06e0595011c829f.SMD X-Note: This message was scanned for Spam X-RBL-Warning: Total weight value: 0 X-Spam-Tests-Failed: Whitelisted [0] X-Note: Recipient Host:    citravel.com X-Note: Sender Address:    [EMAIL PROTECTED] X-Note: Sender Host Name:  (Private IP) X-Note: Sender IP Address: 10.215.43.52 X-Note: Sender Country ID: X-Note: This E-mail was sent from (Private IP) ([10.215.43.52]) Precedence: bulk Sender: [EMAIL PROTECTED] Date: Tue, 11 May 2004 11:32:11 X-RCPT-TO: citravel.com Status: U X-UIDL: 384277933 This person's email client does not show they sent this message but the IP of the sending host is the senders system. I have scanned this system and it is showing virus free.  Using SOPHOS latetest defs as of 2pm est 5/11/2004 I am also sniffing the network now looking for other SMTP Traffic. User who receive the email which has a link of h t t p:// d r s . y a h o o . com / citravel.com/news Get sent to a pornography site.  After they close this site there system keeps having pop ups appearing regularly. this link redirects to h t t p:// d r s . y a h o o . com / citravel.com/news*http://www.security-warning.biz/personal6/maljo24/www.yahoo.com/#http://drs.yahoo.com/citravel.com/news I am not so much worried about the email but as to how it was sent. This is where I think it might be a virus. Currently I have a filter stopping emails with d r s . y a h o o . c o m (space added) I am seeing several hundred an hour being stopped.   Any help ideas thouhgt? Or should I just go golfing and forget about it??? :)   ~Paul~ --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.