[Declude.Virus] FW: AVERT Medium Threat Advisory: W32/[EMAIL PROTECTED]
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Subject: AVERT Medium Threat Advisory: W32/[EMAIL PROTECTED] Advisory This is a Medium Threat Advisory for W32/[EMAIL PROTECTED] Justification W32/[EMAIL PROTECTED] has been deemed Medium due to prevalence. Read About It Information about W32/[EMAIL PROTECTED] is located on VIL at: http://vil.nai.com/vil/content/v_136390.htm Detection W32/[EMAIL PROTECTED] was first discovered on October 5, 2005 and detection will be added to the 4598 dat files (Release Date: October 5, 2005). The EXTRA.DAT IS AVAILABLE. If you suspect you have W32/[EMAIL PROTECTED], please submit a sample to http://www.webimmune.net. Risk Assessment Definition For further information on the Risk Assessment and AVERT Recommended Actions please see: http://www.mcafeesecurity.com/us/security/resources/risk_assessment.htm Best Regards, McAfee AVERT - Anti Virus and Vulnerability Research, Analysis, and Solutions visit us at www.avertlabs.com You are currently subscribed to avertalert as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Possible new virus
Mcafee released this within the last hour - Advisory This is a Medium Threat Advisory for W32/[EMAIL PROTECTED] Justification W32/[EMAIL PROTECTED] has been deemed Medium due to prevalence. Read About It Information about W32/[EMAIL PROTECTED] is located on VIL at: http://vil.nai.com/vil/content/v_136390.htm Detection W32/[EMAIL PROTECTED] was first discovered on October 5, 2005 and detection will be added to the 4598 dat files (Release Date: October 5, 2005). The EXTRA.DAT IS AVAILABLE. If you suspect you have W32/[EMAIL PROTECTED], please submit a sample to http://www.webimmune.net. Risk Assessment Definition For further information on the Risk Assessment and AVERT Recommended Actions please see: http://www.mcafeesecurity.com/us/security/resources/risk_assessment.htm Best Regards, McAfee AVERT - Anti Virus and Vulnerability Research, Analysis, and Solutions visit us at www.avertlabs.com ---DLAnalyzer - Comprehensive reporting on Declude Junkmail and Virus. Download it today - http://www.invariantsystems.com. - Original Message - From: Darrell ([EMAIL PROTECTED]) To: Declude.Virus@declude.com Sent: Wednesday, October 05, 2005 10:46 PM Subject: Re: [Declude.Virus] Possible new virus Alot got through today with that one, but its being caught by F-Prot now. 10/05/2005 22:06:18 Q86937B8E01F27E50 MIME file: pword_change.zip [base64; Length=113709 Checksum=13075286]10/05/2005 22:06:18 Q86937B8E01F27E50 Scanner 2: Virus=W32/[EMAIL PROTECTED] Attachment=pword_change.zip [12] O My first hit was at 20:02 EST tonight. Darrell ---Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Darin Cox To: Declude.Virus@declude.com Sent: Wednesday, October 05, 2005 10:33 PM Subject: [Declude.Virus] Possible new virus We're seeing a lot of emails with pword_change.zip attached. May want to block it in your virus.cfg. Subject is "Your new Password" All so far were routed through gmx.net or web.de just before delivery, but are originating from a variety of dial-up or broadband ISP accounts. Darin.
Re: [Declude.Virus] Possible new virus
My first hit was right around that time as well. That's a quick catch by FProt. Darin. - Original Message - From: Darrell ([EMAIL PROTECTED]) To: Declude.Virus@declude.com Sent: Wednesday, October 05, 2005 10:46 PM Subject: Re: [Declude.Virus] Possible new virus Alot got through today with that one, but its being caught by F-Prot now. 10/05/2005 22:06:18 Q86937B8E01F27E50 MIME file: pword_change.zip [base64; Length=113709 Checksum=13075286]10/05/2005 22:06:18 Q86937B8E01F27E50 Scanner 2: Virus=W32/[EMAIL PROTECTED] Attachment=pword_change.zip [12] O My first hit was at 20:02 EST tonight. Darrell ---Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Darin Cox To: Declude.Virus@declude.com Sent: Wednesday, October 05, 2005 10:33 PM Subject: [Declude.Virus] Possible new virus We're seeing a lot of emails with pword_change.zip attached. May want to block it in your virus.cfg. Subject is "Your new Password" All so far were routed through gmx.net or web.de just before delivery, but are originating from a variety of dial-up or broadband ISP accounts. Darin.
Re: [Declude.Virus] Possible new virus
This is scary. I verified the same pattern of the messages all being relayed through one of those two servers. The headers of the messages also show randomization in both the types of headers as well as the basic construct of things like message boundaries. This is very spammy, and it is a clear sign of this being a seeding event where machines that were previously compromised have been configured with spamware to carry out this coordinated mass-mailing. As far as this particular worm goes, it follows a pattern now over a year old. The neo-nazi's in Germany have used this virus to infect machines and then in turn they sent out massive amounts of propaganda. They did this twice so far, and before each event there was a similar outbreak of Sober. This shows a sophistication that I have not ever seen. The trick of relaying everything through a service provider really takes the cake. This virus was designed to not only get past virus scanners, but also spam blocking. I haven't seen any other viruses that have done anything to mask their true source like this one does. Matt Darin Cox wrote: We're seeing a lot of emails with pword_change.zip attached. May want to block it in your virus.cfg. Subject is "Your new Password" All so far were routed through gmx.net or web.de just before delivery, but are originating from a variety of dial-up or broadband ISP accounts. Darin.
Re: [Declude.Virus] Possible new virus
Alot got through today with that one, but its being caught by F-Prot now. 10/05/2005 22:06:18 Q86937B8E01F27E50 MIME file: pword_change.zip [base64; Length=113709 Checksum=13075286]10/05/2005 22:06:18 Q86937B8E01F27E50 Scanner 2: Virus=W32/[EMAIL PROTECTED] Attachment=pword_change.zip [12] O My first hit was at 20:02 EST tonight. Darrell ---Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Darin Cox To: Declude.Virus@declude.com Sent: Wednesday, October 05, 2005 10:33 PM Subject: [Declude.Virus] Possible new virus We're seeing a lot of emails with pword_change.zip attached. May want to block it in your virus.cfg. Subject is "Your new Password" All so far were routed through gmx.net or web.de just before delivery, but are originating from a variety of dial-up or broadband ISP accounts. Darin.
[Declude.Virus] Possible new virus
We're seeing a lot of emails with pword_change.zip attached. May want to block it in your virus.cfg. Subject is "Your new Password" All so far were routed through gmx.net or web.de just before delivery, but are originating from a variety of dial-up or broadband ISP accounts. Darin.
