Frethem.E was the 11th, but Frethem.B, which also has the decrypt-password.exe attachment, hit on the 8th.
John J. Steniger Network and Security Manager Familymeds, Inc. Phone: 860-676-1222 X633 Email: [EMAIL PROTECTED] http://www.familymeds.com > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, June 12, 2002 7:55 PM > To: Exchange Discussions > Subject: RE: Possible New Virus? > > > That may be true. > > Ken Powell > Systems Administrator > Clark County Office of Budget and Information Services (OBIS) > Vancouver, Washington > [EMAIL PROTECTED] > Voice: (360) 397-6121 x4658 > Fax: (360) 759-6001 > > > -----Original Message----- > From: Durkee, Peter [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, June 12, 2002 4:52 PM > To: Exchange 5.5 List > Subject: RE: Possible New Virus? > > But it couldn't be W32.Frethem.E@mm either, as that one was > only discovered > yesterday. > > I haven't seen nearly as many MIME Exploits as you have, but > the ones I have > seen can be identified as Klez by the distinctive subject > lines, and the > obviously spoofed from addresses. I think maybe they were > Klezes that had > their attachments removed by someone else's AV software, > leaving the exploit > still in place. > > -Peter > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, June 12, 2002 16:43 > To: Exchange Discussions > Subject: RE: Possible New Virus? > > > No, I can see numbers for all of the Klez variations as well > (eml = 6, e = > 2, h = 58, dam = 4). MIME Exploit = 326. > > Ken Powell > Systems Administrator > Clark County Office of Budget and Information Services (OBIS) > Vancouver, Washington > [EMAIL PROTECTED] > Voice: (360) 397-6121 x4658 > Fax: (360) 759-6001 > > > -----Original Message----- > From: Durkee, Peter [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, June 12, 2002 4:37 PM > To: Exchange 5.5 List > Subject: RE: Possible New Virus? > > I think any that you received before yesterday must've been > from the klez > virus, which uses the same exploit. I've seen a few of those myself. > > -Peter > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, June 12, 2002 16:22 > To: Exchange Discussions > Subject: RE: Possible New Virus? > > > Webshield SMTP 4.51 MR1a with engine 4160. As far as DAT > files, it has been > catching it since as far back as the middle of last month (my > ePO records do > not go back any further.) Even if the engine and DAT files > had not been up > to date WS would have stopped it due to us blocking all executables. > > I would assume that GS would have caught it if it had made it > that far since > it is running the same engine and dat versions. > > Ken Powell > Systems Administrator > Clark County Office of Budget and Information Services (OBIS) > Vancouver, Washington > [EMAIL PROTECTED] > Voice: (360) 397-6121 x4658 > Fax: (360) 759-6001 > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, June 12, 2002 8:55 AM > To: Exchange 5.5 List > Subject: RE: Possible New Virus? > > We have been seeing it for a couple of days. McAfee has been > reporting it as > Exploit-MIME.gen. > > I just got something from Sophos giving it the name that John > reported it > as. It has been showing up quite a lot lately. > > Ken Powell > Systems Administrator > Clark County Office of Budget and Information Services (OBIS) > Vancouver, Washington > [EMAIL PROTECTED] > Voice: (360) 397-6121 x4658 > Fax: (360) 759-6001 > > > -----Original Message----- > From: John Steniger [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, June 11, 2002 10:23 AM > To: Exchange 5.5 List > Subject: RE: Possible New Virus? > > Appears to be a Frethem Worm. From Norton: > > http://securityresponse.symantec.com/avcenter/venc/data/w32.fr > [EMAIL PROTECTED] > l > > John J. Steniger > Network and Security Manager > Familymeds, Inc. > Phone: 860-676-1222 X633 > Email: [EMAIL PROTECTED] > http://www.familymeds.com > > > > -----Original Message----- > > From: Durkee, Peter [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, June 11, 2002 1:22 PM > > To: Exchange Discussions > > Subject: Possible New Virus? > > > > > > Hi All, > > I've seen several messages coming in this morning with the > > subject line Re: Your Password!, an attachment named > > decrypt-password.exe, and the same Content-Type: audio/x-midi > > that Klez uses to auto-run. The messages are 50k or so in > > size. Is anyone else seeing this? My usual virus info sources > > don't have anything on it. > > > > -Peter > > > > > > ______________________________________________ > > This message is private or privileged. If you are not the > > person for whom this message is intended, please delete it > > and notify me immediately, and please do not copy or send > > this message to anyone else. > > > > > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > ______________________________________________ > This message is private or privileged. If you are not the > person for whom this message is intended, please delete it > and notify me immediately, and please do not copy or send > this message to anyone else. > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > ______________________________________________ > This message is private or privileged. If you are not the > person for whom this message is intended, please delete it > and notify me immediately, and please do not copy or send > this message to anyone else. > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]