This is all the Swen.a (aka Gibe.a) virus. I have seen hundreds of these today, with various message bodies and various filenames. Some of the message bodies contain a mime exploit to try to automatically execute the attachment, some don't. Some appear to come from MS, some look like mailer bounces or errors.
But they all contain the same attached executable payload. The MD5 of the payload is b09e26c292759d654633d3c8ed00d18d -steve ps. If you can set your MTA to discard or reject messages based on a regexp body check here is a regexp for ya: /^8TPbiV38OV4IdC6LBolF4DvDdBSLeESJfeSJRdxQ6AOPAABZi8fr5YleCIkeiV4E6wdqAV jDi2Xo$/ > Following up my own post: > -------------------------------------------------------------- > There is no virus known to us by this name. However, Norton Anti-Virus > uses names like W97M.Automat. to name viruses which have > been detected > automatically. > > VARIANT: Automat.K > -------------------------------------------------------------- > > So it looks new. > > ...Eric > > > > On Fri, 19 Sep 2003 [EMAIL PROTECTED] wrote: > > > Check out Usenet or Google groups, lots of autospam > postings about this to > > news.admin.net-abuse.sightings. > > > > One says: > > > > hqbkyk.exe was infected with the malicious virus > Worm.Automat.AHB and > > has been deleted because the file cannot be cleaned. > > > > ...Eric > > > > > > On Fri, 19 Sep 2003, Ron Clark wrote: > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
