Pls adapt you content filters:
-----------------------------------------
W32/[EMAIL PROTECTED] (Medium Risk Alert)
SonicWALL wants to make you aware of the W32/[EMAIL PROTECTED] virus that is spreading
across the Internet. A medium-level alert has been issued for this threat.
Overview
This mass-mailing worm spreads as a .ZIP file and contains a denial of service payload.
A summary of the virus characteristics are as follows:
* contains it own SMTP engine for constructing messages
* mails itself as a ZIP attachment
* harvests email addresses from the local machine
* sends large volume of data (garbage) to a remote server - suggestive of a DoS
payload (see below)
Mail Propagation
Target email addresses are harvested from many files on the victim machine. These are
written to the file EML.TMP in %WinDir%. Testing shows the worm is overly lax in
identifying valid email addresses - as a result messages are likely to be sent to
invalid recipients.
Outgoing messages are constructed using the worm's own SMTP engine. They are formatted
as follows:
Subject : Re[2]: our private photos (plus additional spaces then random characters)
Attachment : PHOTOS.ZIP (12,958 bytes) which contains PHOTOS.JPG.EXE (12,832 bytes)
Message Body :
Hello Dear!,
Finally, i've found possibility to right u, my lovely girl :)
All our photos which i've made at the beach (even when u're withou ur bh:))
photos are great! This evening i'll come and we'll make the best SEX :)
Right now enjoy the photos.
Kiss, James.
(random characters - the same as those terminating the subject)
Messages are constructed with the following X-headers:
X-Mailer: The Bat! (v1.62)
X-Priority: 1 (High)
The 'From' address of outgoing messages may be spoofed with james@(target domain.com).
For example:
[EMAIL PROTECTED]
As for previous variants, the mailing routing queries the mail server for the domain
related to the target (harvested) address. Messages are then sent through that SMTP
server. As previously, the worm contains a hardcoded IP address (212.5.86.163).
Denial of Service
The worm sends a large amount of data to remote servers (port 80 and ICMP). The worm
verifies that a connection is active by contacting www.google.com. If successful an
attack is initiated on the following domains:
* darkprofits.net
* darkprofits.com
* www.darkprofits.net
* www.darkprofits.com
Symptoms
* Existence of the files and Registry key detailed in the Method of Infection
section.
* Outgoing messages matching that described above
* Large volumes of data being sent to port 80 of a remote server
Method of Infection
When run on the victim machine, the worm installs itself into %WinDir% as
NETWATCH.EXE. For example:
C:\WINNT\NETWATCH.EXE (12,832 bytes)
Three other files are also dropped into %WinDir%:
* %WinDir%\EML.TMP - contains a list of the email addresses harvested from the
victim machine
* %WinDir%\EXE.TMP - copy of the worm
* %WinDir%\ZIP.TMP - a ZIP archive containing the worm
System startup is hooked via the following Registry key:
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \
-------------------------------------------------------
To unsubscribe please go to http://www.sambar.ch/list/
