There is some information on this on the CERT web site:
http://www.cert.org/current/current_activity.html#virus
-chris
> What is this virus script written in? vbscript? I looked at it in a text
> editor and it looks like vbscript.
>
> -Brent
>
> ----- Original Message -----
> From: "Scott Faulkner" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, June 21, 2000 8:48 PM
> Subject: Re: WARNING - Possible Virus Re: Fw: Life stages
>
>
> >
> > I just threw it into a hex editor and discovered it is the
> > ShellScrapWorm by SimpleSimon, It first appeared
> > yesterday on a Firewall List and I'm sure the other
> > Linux list are the next targets this jerk will send it to.
> >
> >
> > Scott Faulkner
> > [EMAIL PROTECTED]
> >
> >
> >
> > > Warning to ALL on linux_net
> > > This message threw up a VIRUS alert in our system.
> > >
> > > >>From: Robert Barnes <[EMAIL PROTECTED]>
> > > >>Subject: Fw: Life stages
> > > >>Date: Thu, 22 Jun 2000 09:41:24 +1000
> > >
> > >
> > > Looking at the code, it DOES appear to search through AddressBook
> Entries...
> > >
> > > >> For VH=1 To G.AddressEntries.Count
> > > >> Set FP=G.AddressEntries(VH)
> > > >> If VH=1 Then U.BCC=FP.Address Else U.BCC=U.BCC&D("< ")&FP.Address
> > > >> Next
> > >
> > > The message came through the linux-net path from
> > > Robert Barnes <[EMAIL PROTECTED]>
> > > Path is shown below
> > > ---------------------
> > > Return-Path: <[EMAIL PROTECTED]>
> > > Received: from nic.funet.fi (nic.funet.fi [193.166.0.145])
> > > by ns.ecomrenaissance.com (8.9.3/8.9.3/SuSE Linux 8.9.3-0.1) with
> > > ESMTP id KAA15789
> > > for <[EMAIL PROTECTED]>; Thu, 22 Jun 2000 10:38:46 +1000
> > > Received: from vger.rutgers.edu ([128.6.190.2]:27861 "EHLO
> vger.rutgers.edu"
> > > ident: "NO-IDENT-SERVICE[2]" smtp-auth: <none> TLS-CIPHER: <none>)
> > > by nic.funet.fi with ESMTP id <S7481AbQFVAh3>;
> > > Thu, 22 Jun 2000 03:37:29 +0300
> > > Received: ([EMAIL PROTECTED]) by vger.rutgers.edu via
> listexpand
> > > id <S157292AbQFUXkg>; Wed, 21 Jun 2000 19:40:36 -0400
> > > Received: by vger.rutgers.edu id <S157250AbQFUXk1>;
> > > Wed, 21 Jun 2000 19:40:27 -0400
> > > Received: from [203.102.220.26] ([203.102.220.26]:1615 "EHLO
> > > mail.nulec.com.au")
> > > by vger.rutgers.edu with ESMTP id <S157272AbQFUXjz>;
> > > Wed, 21 Jun 2000 19:39:55 -0400
> > > Received: by MAIL with Internet Mail Service (5.5.2650.21)
> > > id <NMGQY57Y>; Thu, 22 Jun 2000 09:41:26 +1000
> > > Message-ID: <1072F1A27E99D3119747005004B9A380668583@MAIL>
> > > From: Robert Barnes <[EMAIL PROTECTED]>
> > > Subject: Fw: Life stages
> > > Date: Thu, 22 Jun 2000 09:41:24 +1000
> > > MIME-Version: 1.0
> > > X-Mailer: Internet Mail Service (5.5.2650.21)
> > > Content-Type: multipart/mixed;
> > > boundary="----_=_NextPart_000_01BFDBDA.36ABB0ED"
> > > To: unlisted-recipients:; (no To-header on input)
> > > Sender: [EMAIL PROTECTED]
> > > Precedence: bulk
> > > X-Loop: [EMAIL PROTECTED]
> > > X-UIDL: 23a987b19aefc34b1cc95b13ac3ea961
> > >
> > > > The male and female stages of life.
> > >
> > >
> > > Content-Type: application/octet-stream;
> > > name="LIFE_STAGES.TXT.SHS"
> > > Content-Disposition: attachment;
> > > filename="LIFE_STAGES.TXT.SHS"
> >
> > --------------------------------------------------------------------------
> ---
> > > >> The male and female stages of life.
> > > >
> > > >
> > > >Content-Type: application/octet-stream;
> > > > name="LIFE_STAGES.TXT.SHS"
> > > >Content-Disposition: attachment;
> > > > filename="LIFE_STAGES.TXT.SHS"
> > > >
> > > >Attachment converted: :LIFE_STAGES.TXT.SHS (????/----) (000B8227)
> > >
> > >
> > >
> > > -
> > > To unsubscribe from this list: send the line "unsubscribe linux-net" in
> > > the body of a message to [EMAIL PROTECTED]
> >
> > -
> > To unsubscribe from this list: send the line "unsubscribe linux-net" in
> > the body of a message to [EMAIL PROTECTED]
> >
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-net" in
> the body of a message to [EMAIL PROTECTED]
>
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
