Security Incidents mailing list archives
Re: Virus? Trojan?
From: "Peter Kruse" <kruse () railroad dk>
Date: Tue, 31 Dec 2002 00:42:42 +0100
Hi David, That would be Yaha-K. This new variant is spreading heavily in Holland. Earlier today McAfee opgraded the worm to a medium risk: http://vil.nai.com/vil/content/v_99918.htm There are many subject lines/Message bodies/Attachment names that W32/Yaha.k may use. It's very likely spreading because of problems with the invalid MIME formatting of some of the Yaha.k mails. The worm is known to be able to pass through mailsweeper v4.2x. Kind regards Peter Kruse Securityconsultant http://www.krusesecurity.dk ----- Original Message ----- From: "David Gillett" <gillettdavid () fhda edu> To: "'Incidents List'" <incidents () securityfocus com> Sent: Monday, December 30, 2002 11:03 PM Subject: Virus? Trojan?
So far today, I've received two email messages from kbl-zrz2519.zeelandnet.nl [62.238.233.233] which, apparently, claimed in its HELO message to *be* our local MX (which of course was who it was talking TO). Sounds to me like a bug in the sending software. The other thing these messages had in common was a 33KB .scr ("screen saver") executable attachment. Norton doesn't recognize this as a known threat, but I don't want to be the first to learn the hard way what it does. MAYBE this is just ill-conceived and poorly-written spam. Maybe it's something more serious. Anybody know one way or the other? David Gillett ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: RPAT - Realtime Proxy Abuse Triangulation, (continued)
- Re: RPAT - Realtime Proxy Abuse Triangulation Greg Barnes (Dec 30)
- Re: RPAT - Realtime Proxy Abuse Triangulation Gary Flynn (Dec 30)
- RE: RPAT - Realtime Proxy Abuse Triangulation Rob Shein (Dec 30)
- Re: RPAT - Realtime Proxy Abuse Triangulation Syzop (Dec 30)
- Re: RPAT - Realtime Proxy Abuse Triangulation Greg Barnes (Dec 30)
- Re: RPAT - Realtime Proxy Abuse Triangulation Jay D. Dyson (Dec 30)
- Re: RPAT - Realtime Proxy Abuse Triangulation Greg Barnes (Dec 30)
- Virus? Trojan? David Gillett (Dec 30)
- Re: Virus? Trojan? Peter Kruse (Dec 30)