But it couldn't be W32.Frethem.E@mm either, as that one was only discovered yesterday.
I haven't seen nearly as many MIME Exploits as you have, but the ones I have seen can be identified as Klez by the distinctive subject lines, and the obviously spoofed from addresses. I think maybe they were Klezes that had their attachments removed by someone else's AV software, leaving the exploit still in place. -Peter -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 16:43 To: Exchange Discussions Subject: RE: Possible New Virus? No, I can see numbers for all of the Klez variations as well (eml = 6, e = 2, h = 58, dam = 4). MIME Exploit = 326. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -----Original Message----- From: Durkee, Peter [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 4:37 PM To: Exchange 5.5 List Subject: RE: Possible New Virus? I think any that you received before yesterday must've been from the klez virus, which uses the same exploit. I've seen a few of those myself. -Peter -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 16:22 To: Exchange Discussions Subject: RE: Possible New Virus? Webshield SMTP 4.51 MR1a with engine 4160. As far as DAT files, it has been catching it since as far back as the middle of last month (my ePO records do not go back any further.) Even if the engine and DAT files had not been up to date WS would have stopped it due to us blocking all executables. I would assume that GS would have caught it if it had made it that far since it is running the same engine and dat versions. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 8:55 AM To: Exchange 5.5 List Subject: RE: Possible New Virus? We have been seeing it for a couple of days. McAfee has been reporting it as Exploit-MIME.gen. I just got something from Sophos giving it the name that John reported it as. It has been showing up quite a lot lately. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -----Original Message----- From: John Steniger [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 10:23 AM To: Exchange 5.5 List Subject: RE: Possible New Virus? Appears to be a Frethem Worm. From Norton: http:[EMAIL PROTECTED] l John J. Steniger Network and Security Manager Familymeds, Inc. Phone: 860-676-1222 X633 Email: [EMAIL PROTECTED] http://www.familymeds.com > -----Original Message----- > From: Durkee, Peter [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, June 11, 2002 1:22 PM > To: Exchange Discussions > Subject: Possible New Virus? > > > Hi All, > I've seen several messages coming in this morning with the > subject line Re: Your Password!, an attachment named > decrypt-password.exe, and the same Content-Type: audio/x-midi > that Klez uses to auto-run. The messages are 50k or so in > size. Is anyone else seeing this? My usual virus info sources > don't have anything on it. > > -Peter > > > ______________________________________________ > This message is private or privileged. If you are not the > person for whom this message is intended, please delete it > and notify me immediately, and please do not copy or send > this message to anyone else. > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] ______________________________________________ This message is private or privileged. If you are not the person for whom this message is intended, please delete it and notify me immediately, and please do not copy or send this message to anyone else. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] ______________________________________________ This message is private or privileged. If you are not the person for whom this message is intended, please delete it and notify me immediately, and please do not copy or send this message to anyone else. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]