Possible Trojan/Virus: while.com.

["Jay D. Dyson" <jdyson () treachery net>]

-----BEGIN PGP SIGNED MESSAGE-----

Hi folks,

        I received an unusual spam complaint from one of my users here. 
What's unusual is that I'd not heard about this payload before.  While I
haven't had time yet to give the payload more than a cursory look, my gut
tells me the following is a trojan or worm either deliberately or
unintentionally disseminated by an AOL user (using a forged bellsouth.net
address).  Also of import is that the user who sent this beastie was using
Microsoft Outlook (as if that isn't a big enough warning sign). 

        The text accompanying this apparently malicious payload is thus:

- -----BEGIN EXCERPT-----

It can be disabled at your discretion, although the default 
configuration is to allow updates. If you want to disable this feature, 
follow the instructions in the online help documentation under the topic 
"Turning Attune off and on".\f0\par

\par

You may not modify, reverse-engineer, decompile, create other works 
from, or disassemble the software. Similarly, you may not copy, modify, 
adapt or create other works based upon the Documentation.

- ----- END EXCERPT -----

        The payload is named "while.com" (did some searching on this term
and came up with goose-eggs).  Vital statistics on the file are: 

        Filesize        : 73,728 bytes
        MD5 sum         : 0cd0a719f9f91630de366c54c427a834
        Interesting bits: mshtml.dll (previously ID'd as security risk)
                          TLOSS error
                          SING error
                          DOMAIN error

        (The above three items strike me as math-intensive, possibly
        indicating a cracking functionality of some type...or maybe I'm
        whistling in the dark.  Like I said, this is a suspected trojan,
        not confirmed.)

        Anyway, with the creepy-crawlies typically associated with
Microsoft-sired worms (use of MS Outlook, generic text, unsolicited
payload, et cetera), I'm regarding this as a high-probability trojan/worm.

        Anyone interested in vivisecting this beastie can find a copy of
it here:

        The file: http://www.treachery.net/~jdyson/trojans/while.com
        MD5 sum : http://www.treachery.net/~jdyson/trojans/while.com.md5

        Oh...and in case anyone's wondering, I've already sent off a
letter to AOL to let them know about this.

- -Jay

   (    (                                                        _______
   ))   ))   .-"There's always time for a good cup of coffee"-.   >====<--.
 C|~~|C|~~| (>----- Jay D. Dyson -- jdyson () treachery net -----<) |    = |-'
  `--' `--'  `---------- Si vis pacem, para bellum. ----------'  `------'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iQCVAwUBPAHReblDRyqRQ2a9AQHg9QP+P1/9NN3JKyToZdn+ACWQE1IRGkWHwHiu
JkMBR0xQcmB93EbBP0f1yui9g/Tl+E8ZAGvkQQd3LW665J3fnMMxoeqOnAZsjy3W
/owQ1aUJuc6Ki7AU99KQ1gdwV0SO7zFvbNpjSwhpXwhEuj51bwkms3tfw96zRuHi
Yj+1XeDe910=
=MnN0
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com