Hi Steven,
Okay, this is probably the NewApt worm/trojan/virus. Here are
some descriptions of it:
Trend Micro Description
http://www.antivirus.com/vinfo/security/sa121499.htm
NAI Avert Description
http://vil.nai.com/vil/wm10475.asp
Symantec Description
http://www.symantec.com/avcenter/venc/data/worm.newapt.html
F-Secure Description
http://www.europe.f-secure.com/v-descs/newapt.htm
The NTBugTraq mailing list had the same problem last week.
All it takes is one person on a mailing list to get infected,
then it sends itself off to people who have posted messages to
the list. For example, I got a WinApt message from Italy that was a
reply to a message I posted in August to NTBugTraq.
An interesting side note, NewApt contains an IP address
for a Microsoft Web server that shows the www.microsoft.com
homepage. Not sure what the purpose of this address is
in the code.
Richard
> -Original Message-
> From: Bugtraq List [mailto:[EMAIL PROTECTED]]On Behalf Of Steven
> Alexander
> Sent: Wednesday, December 22, 1999 11:49 AM
> To: [EMAIL PROTECTED]
> Subject: Warning to Bugtraq posters.
>
>
> After my last post to bugtraq (Re: w00w00) I received a message
> pertaining to be from myself with the same subject line. The messsage
> contained an attachment program named goal.exe. It claimed that this
> program was from messagemates.com. If the program is run it will give an
> error message about an unfound .DLL. It will also create a new
> goal.exe in
> "C:\WINNT\" and an entry in the registry named "tpawen" with the value
> "C:\WINNT\goal.exe /x" under
> "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run"
> . I don't
> know what this program is, I am disassembling it now and will post again
> later. The header from the message I received indicates that the mail was
> received by my mail server from "stu.chesapeake.net, 205.130.220.9". If
> anyone knows anything more please email me.
>
> -steven alexander
>