Can you send a copy for me?
Maybe i can make a reverse engineering and try to help you what´s happening...
On Wed, 2 Mar 2005 16:05:06 +, Matthew Burling
<[EMAIL PROTECTED]> wrote:
>
> Floods the network with DCOM packets
>
> Infected files include:
>
> C:\windows\system32\dxmsrv.exe
Matthew Burling wrote:
C:\windows\system32\dxmsrv.exe
C:\windows\system32\winmes.exe
Submit your suspicious file to norman sandbox (
http://sandbox.norman.no/live_4.html ), it will tell you if these are
bots contacting their 0wner via some irc channel and other suspicious
activity.
_
MB> C:\windows\system32\dxmsrv.exe
MB> C:\windows\system32\winmes.exe
Try http://virusscan.jotti.org/
--
Thierry Zoller
mailto:[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Floods the network with DCOM packets
Infected files include:
C:\windows\system32\dxmsrv.exe
C:\windows\system32\winmes.exe
These aren't yet detected by Symantec
1/3/2005 rev. 21
Doesn't infect a fully patched Windows
PC
Does anyone have any ideas?__
: Re: [Full-Disclosure] New
virus?
What's the contents of the files...requests for those files
result in 404'slikehttp://www.fotosgratis.pop.com.br/botao.txt
So what urls are they fetching, or is the 404 the result the clients
receive?Adam Jacob MullerWhere is it written i
What's the contents of the files...
requests for those files result in 404's
like
http://www.fotosgratis.pop.com.br/botao.txt
So what urls are they fetching, or is the 404 the result the clients receive?
Adam Jacob Muller
Where is it written in the Constitution, in what article or section is
TECTED]>
Sent: Monday, September 27, 2004 3:07 PM
Subject: Re: [Full-Disclosure] New virus?
> Bernardo,
>
> Do you have access to this machine, either physically
> or remotely (as an admin)? If so, have you pulled any
> data from the system to see what's going on?
>
Wernesback
Cc: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] New virus?
- Original Message -
From: Bernardo Santos Wernesback <[EMAIL PROTECTED]>
Date: Mon, 27 Sep 2004 14:44:58 -0300
Subject: [Full-Disclosure] New virus?
To: [EMAIL PROTECTED]
Hi everyone,
Has anyone seen a
om: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of the rxmr
Sent: Monday, September 27, 2004 2:14 PM
To: Bernardo Santos Wernesback
Cc: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] New virus?
- Original Message -
From: Bernardo Santos Wernesback <[EMAIL PROTECTED]>
Date:
- Original Message -
From: Bernardo Santos Wernesback <[EMAIL PROTECTED]>
Date: Mon, 27 Sep 2004 14:44:58 -0300
Subject: [Full-Disclosure] New virus?
To: [EMAIL PROTECTED]
Hi everyone,
Has anyone seen a lot of HTTP activity to a certain site:
http://www.fotosgratis.pop.
Bernardo,
Do you have access to this machine, either physically
or remotely (as an admin)? If so, have you pulled any
data from the system to see what's going on?
--- Bernardo Santos Wernesback <[EMAIL PROTECTED]>
wrote:
> Hi everyone,
>
> Has anyone seen a lot of HTTP activity to a certain
>
On Mon, 27 Sep 2004 14:44:58 -0300, Bernardo Santos Wernesback
<[EMAIL PROTECTED]> wrote:
>
> Hi everyone,
>
> Has anyone seen a lot of HTTP activity to a certain site:
> http://www.fotosgratis.pop.com.br ?
>
> One of our clients has several machines making tons of requests for TXT files
Hi
everyone,
Has anyone seen a
lot of HTTP activity to a certain site: http://www.fotosgratis.pop.com.br
?
One of our clients
has several machines making tons of requests for TXT files on that
server:
botao.txt
mswinsck.txt
ita01.txt
caixa01.txt
teclado07.txt
caixa01.txt
caixa02.txt
c
On Mon, 9 Aug 2004 13:03:54 -0600, "Jonathan Grotegut" <[EMAIL PROTECTED]> said:
> (In regards to new_price.zip file attachment) Anyone have any idea
> what this is, we had some clients just get pretty hard with this
> email. I am unable to find anything on it, from my VERY Limited
> knowledge it
On Mon, 2 Aug 2004, Vic Vandal wrote:
> There's a new .ZIP attachment that mimics some of the recent ones
> in arriving as something like [EMAIL PROTECTED], extracting to
> [EMAIL PROTECTED], which is a Windows command file.
>
[SNIP]
Nothing new about this, virus attachments have been do
There's a new .ZIP attachment that mimics some of the recent ones
in arriving as something like [EMAIL PROTECTED], extracting to
[EMAIL PROTECTED], which is a Windows command file.
I've only just started looking at the payload, and see it does some
reg key checks on WOW (looking for itself...no ti
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
You forgot Bagle'95 SR-1, Bagle'98 and Bagle'98SE!
:-D
Jos Osborne wrote:
|>How about Bagle2.x ?
|
|
| Or Bagle3.11, Bagle'95, BagleMe, Bagle2000, BagleXP...
|
| ;>
|
| Jos
- --
Paolo A. Gallenga
System Administrator
Atlantica Sistemi S.r.l.
[EMAIL PROT
> How about Bagle2.x ?
Or Bagle3.11, Bagle'95, BagleMe, Bagle2000, BagleXP...
;>
Jos
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
From: "Helmut Hauser" <[EMAIL PROTECTED]>
Date sent: Thu, 18 Mar 2004 11:08:44 +0100
> link to virus is ...
> http://blah.blah.blah:81/100721.php
The php is a dead giveaway: this is probably Bagle.Q et al. (The message probably
had object tags around this, correct
"Michael Bemmerl" <[EMAIL PROTECTED]> wrote:
> How about Bagle2.x ?
No.
For lots of reasons, no...
Regards,
Nick FitzGerald
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
"Richard" <[EMAIL PROTECTED]> wrote:
> Looks to be the latest in the Bagle / Beagle family. Symantec have got it
> as the [EMAIL PROTECTED], discovered March 18 10:00
Yes -- there is huge naming confusion with the Bagles.
This is partly because of similarities between some Bagle variants and
so
"Schmehl, Paul L" <[EMAIL PROTECTED]> wrote:
> > come to think of it. what will be the names of the viruses
> > after Bagle.Z ?
> >
> Bagle.AA,AB,AC, etc.
Obvious, ain't it?
Its an (English) alphabetic counting system...
> And on and on it goes, and where it ends, nobody knows...
Indeed.
Hi Frederik,
- Original Message -
> come to think of it. what will be the names of the viruses after
> Bagle.Z ?
How about Bagle2.x ?
Greetings,
Michael
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosu
- Original Message -
From: "Schmehl, Paul L" <[EMAIL PROTECTED]>
> Bagle.AA,AB,AC, etc.
>
> And on and on it goes, and where it ends, nobody knows...
>
It'll end when Bagle.AAA... hits a BoF in a virusscanner
overwriting EIP with 0x41414141 ;)
__
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Frederik Berger
> Sent: Thursday, March 18, 2004 8:03 AM
> To: [EMAIL PROTECTED]
> Subject: Re[2]: [Full-Disclosure] New Virus under way ...
>
> come to think of it. wh
> Hello Nick,
>
> NF> It will have been one of the new Bagle variants
> discovered in the last
> NF> few hours -- Bagle.Q (though some vendors had already
> named this with
> NF> an earlier variant ascription), Bagle.R and Bagle.S all fit the
> NF> description, and possibly the just discovered
Hello Nick,
NF> It will have been one of the new Bagle variants discovered in the last
NF> few hours -- Bagle.Q (though some vendors had already named this with
NF> an earlier variant ascription), Bagle.R and Bagle.S all fit the
NF> description, and possibly the just discovered (within the last h
"Helmut Hauser" <[EMAIL PROTECTED]> wrote:
> got a strange Mail 2day:
>
> Subject: RE: Protected message
> From: [EMAIL PROTECTED]
>
> link to virus is ...
> http://:81/100721.php
<>
It will have been one of the new Bagle variants discovered in the last
few hours -- Bagle.Q (though some vendor
ROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 18, 2004 12:08 PM
Subject: [Full-Disclosure] New Virus under way ...
> got a strange Mail 2day:
>
> Subject: RE: Protected message
> From: [EMAIL PROTECTED]
>
> link to virus is ...
> http://221.153.61.232:81/100
got a strange Mail 2day:
Subject: RE: Protected message
From: [EMAIL PROTECTED]
link to virus is ...
http://221.153.61.232:81/100721.php
Host is in Korea, abuse warning has been sent.
can anyone verify what kind of malware that is ?
Helmut
___
Full-
I was updating the AV Scanners since there is a new thread:
Sophos and Trend Micro have updated their Signatures very fast and Trend
Micro rated it as medium.
F-Secure have a nice Analysis:
http://www.f-secure.com/v-descs/netsky_c.shtml
so time to update again and to send that §$%&/ to /dev/null
Hi everybody!
Today I got an ICQ-Message from an user called "Monica" (Just search on ICQ:
http://people.icq.com/whitepages/search_results/1,,,00.html?FirstName=Moniqu
e&LastName=&NickName=Monica&Country=49). In her details is an URL:
http://www.rsngermany.com/my_foto.htm This is a fake 404-Error-
On Tuesday 25 November 2003 5:17 pm, Steven Harrison wrote:
> Just for fun, I pointed my web browser at
> http://finance.red-host.com/events.php and all I got back was:
>
> exec:http://wendy35.phpwebhosting.com/netm.exe
>
> I retrieved that file, and running it 'strings' does imply that it
> will c
On Tue, 25 Nov 2003, Lorenzo Hernandez Garcia-Hierro wrote:
> Hi,
> Look this line:
> GET /events.php?%s HTTP/1.1
> Accept: */*
> Connection: Keep-Alive
> Host: finance.red-host.com
> id=%s&ip=%s&speed=%d&timeonline=%d
> finance.red-host.com
> so imagine this:
> id=[autonumeric ]&ip=[internet add
? And why
would he send them after this unfortunate "no condom" incident? So many
questions ;-)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Andrew Thomas
Sent: Tuesday, November 25, 2003 3:02 AM
To: 'Full Disclosure'
Subject: [
IL PROTECTED]>
To: "'Full Disclosure'" <[EMAIL PROTECTED]>
Sent: Tuesday, November 25, 2003 9:02 AM
Subject: [Full-Disclosure] New virus
> Hi,
>
> Just to confirm receipt of another email containing the following
> text:
> --snip--
> Hello my dear Ma
Hi,
Just to confirm receipt of another email containing the following
text:
--snip--
Hello my dear Mary,
I have been thinking about you all night. I would like to apologize
for the other night when we made beautiful love and did not use
condoms. I know this was a mistake and I beg you to forg
On Tue, Nov 25, 2003 at 10:43:38AM +0200, Andrew Thomas wrote:
> Hi,
>
> Just to confirm receipt of another email containing the following
> text:
> --snip--
> Hello my dear Mary,
>
(...)
>
> With attached Private.zip.
(...)
It's identified as 'Troj/Sysbug-A' by Sophos.
Greets,
_Alain_
__
Hi,
Just to confirm receipt of another email containing the following
text:
--snip--
Hello my dear Mary,
I have been thinking about you all night. I would like to apologize
for the other night when we made beautiful love and did not use
condoms. I know this was a mistake and I beg you to forg
Has anyone seen this virus? Just saw an alert about this on NAI, Trend and Sophos. More importantly, does anyone have a sample of it?
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Agreed, and some of us have virus filters that prevent us from receiving them
in the first place :)
On Saturday 20 September 2003 09:41 am, Peter Kruse spake thusly:
> If we really need to post live samples to a list like this, I would
> suggest, we
-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Peter Kruse
> Sent: Sunday, 21 September 2003 2:41 a.m.
> To: [EMAIL PROTECTED]
> Subject: SV: [Full-Disclosure] new virus: (fwd)
>
>
> Hi Morning wood,
>
> If we really need to post
"B.K. DeLong" <[EMAIL PROTECTED]> wrote:
> This is absolutely INSANE. I've got AVs picking up Automat.AHB, Gibe.F and
> Swen.A - all for the same virus. ...
It would have helped if you had said what product reported which "name"
_AND_ given the full report in its proper context as that may help
--On Saturday, September 20, 2003 12:15 PM +0530 morning_wood
<[EMAIL PROTECTED]> wrote:
attatched virus spoofing microsoft network security update
file is .zip password is "infected"
email body follows
Thanks, morning. The other 137 copies I got weren't zipped, so this is
obviously somethi
t; [mailto:[EMAIL PROTECTED] På vegne af
> morning_wood
> Sendt: 20. september 2003 08:45
> Til: [EMAIL PROTECTED]
> Emne: Re: [Full-Disclosure] new virus: (fwd)
>
>
> attatched virus spoofing microsoft network security update
> file is .zip password is "infected&qu
This is all the Swen.a (aka Gibe.a) virus. I have seen hundreds of
these today, with various message bodies and various filenames.
Some of the message bodies contain a mime exploit to try to
automatically execute the attachment, some don't.
Some appear to come from MS, some look like mailer bou
[...]
> > If you meant swen, this doesn't look like swen. Nothing mentioning
> > micro$oft
>
> Today I received a copy of both emails and they both came from the same
> host within a 15 minute interval. That makes me also believe that they are
> connected somehow.
>
> Maybe a computer infected by
At 12:43 PM 9/19/2003 -0400, [EMAIL PROTECTED] wrote:
Following up my own post:
--
There is no virus known to us by this name. However, Norton Anti-Virus
uses names like W97M.Automat. to name viruses which have been detected
automatically
I am now getting fake Microsoft patches with a Microsoft like mail
address.
Gary
On Fri, 2003-09-19 at 11:30, Michael Scheidell wrote:
> >
> > Has anyone seen an email going around with subject bug message
> > containing a supposed audio attachment that is really an exe named
> > ckcwr.exe.
>
On Fri, 19 Sep 2003, Ron Clark wrote:
>
>
> -- Forwarded message --
> Date: Fri, 19 Sep 2003 18:22:00 +0300
> From: Eero Volotinen <[EMAIL PROTECTED]>
> To: Ron Clark <[EMAIL PROTECTED]>
> Subject: Re: [Full-Disclosure] new virus:
>
&g
Yeah, swan's been a b***h the past two days. I'm getting into the habit
of deleting any email in mutt that shows up as 2K (most have the "Latest
Microsoft" header, but a couple are bounced).
G
On or about 2003.09.19 09:26:50 +, [EMAIL PROTECTED] ([EMAIL PROTECTED]) said:
> Similar emails hav
My H+BEDV AntiVir is alerting on both the Swen virus (bogus Microsoft
patch) and this variant, tagging them both as Gibe.C.1
This version doesn't mention any patch. It seems more closely related
to the older Gibe variants.
Here's the text/html from the new 'bounce' variant:
-
2003 18:22:00 +0300
> > From: Eero Volotinen <[EMAIL PROTECTED]>
> > To: Ron Clark <[EMAIL PROTECTED]>
> > Subject: Re: [Full-Disclosure] new virus:
> >
> > Yes, it's swan virus.
> >
> > --
> > Eero
> >
> > If you meant swe
It was Swen. He sent me the file. F-Prot caught it on my mail gateway.
-Josh
On Sep 19, 2003, at 11:27 AM, Cael Abal wrote:
You're going to have to give us more than a vague subject line and
what looks like a randomly-generated filename, Ron. Have you tried
any of the major AV tools?
take ca
To: <[EMAIL PROTECTED]>
Sent: Friday, September 19, 2003 5:43 PM
Subject: Re: [Full-Disclosure] new virus: (fwd)
>
>
> -- Forwarded message --
> Date: Fri, 19 Sep 2003 18:22:00 +0300
> From: Eero Volotinen <[EMAIL PROTECTED]>
> To: Ron Clark <[EMAIL PROTE
it is the SWEN virus. I've received dozens of them, McAfee picks it up as
Swen, have no reason to doubt it :-)
Exibar
- Original Message -
From: "Ron Clark" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, September 19, 2003 11:43 AM
Subject: Re:
On Fri, 19 Sep 2003, Ron Clark wrote:
>
> Has anyone seen an email going around with subject bug message
> containing a supposed audio attachment that is really an exe named
> ckcwr.exe.
Similar emails have wound up in my mailbox, with an .exe attachment
claiming to be a .wav file.
I don't think
Clark wrote:
>
>
> -- Forwarded message --
> Date: Fri, 19 Sep 2003 18:22:00 +0300
> From: Eero Volotinen <[EMAIL PROTECTED]>
> To: Ron Clark <[EMAIL PROTECTED]>
> Subject: Re: [Full-Disclosure] new virus:
>
> Yes, it's swan virus.
>
ons.
http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED]
Regards,
Mary Landesman
Antivirus About.com Guide
http://antivirus.about.com
- Original Message -
From: "Ron Clark" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, September 19, 2003 10:38 A
-- Forwarded message --
Date: Fri, 19 Sep 2003 18:22:00 +0300
From: Eero Volotinen <[EMAIL PROTECTED]>
To: Ron Clark <[EMAIL PROTECTED]>
Subject: Re: [Full-Disclosure] new virus:
Yes, it's swan virus.
--
Eero
If you meant swen, this doesn't look like sw
>
> Has anyone seen an email going around with subject bug message
> containing a supposed audio attachment that is really an exe named
> ckcwr.exe.
I am bouncing HUNDREDS AND HUNDREDS of them.
most SEEM to be bounces of bounces.
___
Full-Disclosure
You're going to have to give us more than a vague subject line and what
looks like a randomly-generated filename, Ron. Have you tried any of
the major AV tools?
take care,
Cael
Has anyone seen an email going around with subject bug message
containing a supposed audio attachment that is really
Has anyone seen an email going around with subject bug message
containing a supposed audio attachment that is really an exe named
ckcwr.exe.
Is this a possible new virus? I have recieved numerous cpoies of this
email since last night.
Ron Clark
System Administrator
Armstrong Atlantic State Unive
63 matches
Mail list logo