Full Disclosure mailing list archives
Re: [ok] Possible Virus/Trojan
From: Charles Heselton <charles.heselton () gmail com>
Date: Mon, 26 Jul 2004 19:21:02 -0700
On Mon, 26 Jul 2004 08:08:27 -0500, Todd Towles <toddtowles () brookshires com> wrote:
Sorry guys, I just noticed in my Outlook that the attachment name was really "New Southern California wildfire erupts.avi (spaces) .exe" It was released to me after being blocked, but Outlook blocks access to exe files. Therefore I don't have a direct copy of it to look into. I am trying to find another copy somewhere. That means the file name was the same as the header. If I was going to custom make a fake e-mail to send to one person, it wouldn't be so automatically looking. -----Original Message----- From: Andrew Farmer [mailto:andfarm () teknovis com] Sent: Sunday, July 25, 2004 6:06 PM To: Curt Purdy Cc: 'Mailing List - Full-Disclosure'; 'Todd Towles' Subject: Re: [ok] [Full-disclosure] Possible Virus/Trojan On 25 Jul 2004, at 12:06, Curt Purdy wrote:Todd Towles wrote:I received an e-mail today that looked very much like a virus. Here is the message Attachment - erupts.avi.exeSubject - New Southern California wildfire erupts<snip>Either this is a new Trojan that changes it body and subject based on the current AP news or someone used a very lame trick against me. =)I'm guessing the latter. Although story scraping would be possible, intellegent naming of the .exe would not be. Most likely a friend... or enemy.Sure it would be. In this case, at least, the executable is just named based on the last word of the headline plus ".avi.exe". _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Sounds like a variant of the new MyDoom. MyDoom.M (as named by Symantec) grabs email domains, then does a google search for other email addy's in the same domain. I would be more or less trivial to craft the filename/subject from something pulled off of a "current event search". -- Charlie Heselton Network Security Engineer _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: [ok] Possible Virus/Trojan, (continued)
- Re: [ok] Possible Virus/Trojan Denis McMahon (Jul 27)
- SV: [ok] Possible Virus/Trojan Peter Kruse (Jul 27)
- RE: [ok] Possible Virus/Trojan Todd Towles (Jul 27)
- Re: [ok] Possible Virus/Trojan Duncan Hill (Jul 27)
- RE: [ok] Possible Virus/Trojan Todd Towles (Jul 27)
- RE: [ok] Possible Virus/Trojan Mortis (Jul 27)
- RE: [ok] Possible Virus/Trojan Todd Towles (Jul 27)
- RE: [ok] Possible Virus/Trojan Todd Towles (Jul 26)
- RE: [ok] Possible Virus/Trojan Todd Towles (Jul 26)
- Re: [ok] Possible Virus/Trojan Charles Heselton (Jul 26)
- RE: [ok] Possible Virus/Trojan Todd Towles (Jul 26)