Re: Win32.Invalid.A@mm

["Nick FitzGerald" <nick () virus-l demon co uk>]

Ryan Russell <ryan () securityfocus com> wrote:

> http://www.centralcommand.com/aug30.html
>
> Anyone seen a copy of this, yet?  It's another worm that purports to be a
> Microsoft Advisory, this one about an invalid SSl certificate.

As already discussed on focus-virus, this is a media event, not a 
virus event.  Perhaps Central Command's sales have been down this 
quarter and they felt they needed a publicity boost?

By the time Central Command issued its press release, and thus well
before any of the major media outlets picked it up, the mail server 
this thing is hard-coded to relay through had been "fixed" to prevent 
(externally sourced) relaying so its distribution mechanism was 
broken and the treat averted (apart from however many copies may 
have already been posted and waiting in mailboxes for the unwary to 
run and thus unlease the EXE-crypting payload).

MessageLabs' statistics suggest that a trifling handful of people may 
have been affected by it before the mail relay was stopped.  As I 
write, there have been fewer than 8 detects on ML's current day 
counter (which could mean zero -- they list the "top ten" and tenth 
place was Hybris.D with 8 detects), none in their September "Threat 
List" and none in their August "Threat List".  Despite that, private 
communication from ML suggests they did see a very small number over 
Thursday/Friday.


Regards,

Nick FitzGerald

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com