Bugtraq mailing list archives
Re: Warning to Bugtraq posters.
From: smiths () TIAC NET (Richard M. Smith)
Date: Thu, 23 Dec 1999 15:59:17 -0500
Hi Steven, Okay, this is probably the NewApt worm/trojan/virus. Here are some descriptions of it: Trend Micro Description http://www.antivirus.com/vinfo/security/sa121499.htm NAI Avert Description http://vil.nai.com/vil/wm10475.asp Symantec Description http://www.symantec.com/avcenter/venc/data/worm.newapt.html F-Secure Description http://www.europe.f-secure.com/v-descs/newapt.htm The NTBugTraq mailing list had the same problem last week. All it takes is one person on a mailing list to get infected, then it sends itself off to people who have posted messages to the list. For example, I got a WinApt message from Italy that was a reply to a message I posted in August to NTBugTraq. An interesting side note, NewApt contains an IP address for a Microsoft Web server that shows the www.microsoft.com homepage. Not sure what the purpose of this address is in the code. Richard
-----Original Message----- From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of Steven Alexander Sent: Wednesday, December 22, 1999 11:49 AM To: BUGTRAQ () SECURITYFOCUS COM Subject: Warning to Bugtraq posters. After my last post to bugtraq (Re: w00w00....) I received a message pertaining to be from myself with the same subject line. The messsage contained an attachment program named goal.exe. It claimed that this program was from messagemates.com. If the program is run it will give an error message about an unfound .DLL. It will also create a new goal.exe in "C:\WINNT\" and an entry in the registry named "tpawen" with the value "C:\WINNT\goal.exe /x" under "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run" . I don't know what this program is, I am disassembling it now and will post again later. The header from the message I received indicates that the mail was received by my mail server from "stu.chesapeake.net, 205.130.220.9". If anyone knows anything more please email me. -steven alexander
Current thread:
- [w00giving '99 #11] IMail's password encryption scheme Matt Conover (Dec 20)
- Re: [w00giving '99 #11] IMail's password encryption scheme Steven Alexander (Dec 21)
- Warning to Bugtraq posters. Steven Alexander (Dec 22)
- Re: Warning to Bugtraq posters. Richard M. Smith (Dec 23)
- Re: [w00giving '99 #11] IMail's password encryption scheme Mikael Olsson (Dec 22)
- Re: [w00giving '99 #11] IMail's password encryption scheme Steven Alexander (Dec 22)
- Re: [w00giving '99 #11] IMail's password encryption scheme Benjamin Congdon (Dec 22)
- Re: [w00giving '99 #11] IMail's password encryption scheme Steven Alexander (Dec 23)
- FYI, SCO Security patches available. Aaron Sigel (Dec 23)
- Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT Ussr Labs (Dec 22)
- Warning to Bugtraq posters. Steven Alexander (Dec 22)
- Lotus Notes HTTP cgi-bin vulnerability: possible workaround Bram Kerkhof (Dec 22)
- Re: [w00giving '99 #11] IMail's password encryption scheme Steven Alexander (Dec 21)