It's a new one not KLEZ ... -----BEGIN PGP SIGNED MESSAGE----- A number of people have received email from contacts at other sites with the subject line "Your Password!"
This is a new email-based worm that hit many European High Energy Physics sites earlier today and is now affecting sites in the US. The anti-virus companies have updates available soon, but in the meantime the SLAC email gateway has stripped on the order of 600 infected email attachments destined to SLAC users. At this time, we have no reports of infection within SLAC and we should remain safe even from those who infect their own machines by reading email from non-SLAC sources (home insititutions, Yahoo, Hotmail, etc.) and then executing the "Decrypt-password.exe" file. Here is a quote from the CIAC "Heads-Up" on this latest worm ... There are reports this morning of DOE sites being hit by the W32/Frethem.K@mm worm. The worm uses its own SMTP engine to send itself to email addresses that it finds in the Microsoft Windows Address Book and in .dbx, .wab, .mbx, .eml, and .mdb files. The email message arrives with the following characteristics: Subject: Re: Your Password! Attachments: Decrypt-password.exe and Password.txt Size of attachment: 48,640 bytes The affected systems are Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, and Windows ME. The worm exploits the "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" vulnerability (CIAC Bulletin L-066) in Microsoft Internet Explorer (version 5.01 or 5.5 without SP2). -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQCVAwUBPTMKjF1NwfDT0XdRAQGAMQP/YXjQ8xz4XnRk02OYyrGKzDSQEaIOBm/Y H19u0QJ9t68UH8bpOf3uGtZFNV4koieizW2d39/Eiyl/HKzuPa7tkjR+QE/CFvjX RMg2XkYwbL1fuNyVDqjbPP400G/rYPAHnOjWEtUtXjPKrZnKT+IbPJUTQHjPGkJR jEa9o/Sejws= =vrs9 -----END PGP SIGNATURE----- -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, July 15, 2002 9:08 AM To: Multiple recipients of list ORACLE-L Bunyamin, Did you pick up a copy of worm_klez somewhere? Dick Goulet ____________________Reply Separator____________________ Author: [EMAIL PROTECTED] Date: 7/15/2002 6:53 AM <HTML><HEAD></HEAD><BODY> <FONT COLOR˙F0000> <b>ATTENTION!</b><br><br> You can access<br> <b>very important</b><br> information by<br> this password<br><br> <b>DO NOT SAVE</b><br> password to disk<br> use your mind<br><br> now press<br> <b>cancel</b><br><br> (Bunyamin Karadeniz)</font></BODY></HTML> <iframe src=cid:W8dqwq8q918213 height=0 width=0></iframe> -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: MacGregor, Ian A. INET: [EMAIL PROTECTED] Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).