Security Incidents mailing list archives
Re: New virus?
From: "James C. Slora Jr." <Jim.Slora () phra com>
Date: Sun, 21 Mar 2004 12:30:00 -0500
"Rob Shein" wrote Friday, March 19, 2004 5:44 PM
I'm seeing a lot of something here, and luckily our filters seem to be stopping it with heuristics; it's being quarantined, but it's not identified as any particular virus. I'm seeing emails to people who would normally be getting security-related mails (like SANS bulletins, etc.) and subject lines of such notifications...except that the vulnerabilities listed in the emails are from last year, and in ever case it's a forwarded or replied to email subject (starting with "FW:" or "RE:"). I'm wondering if there's a virus that goes through someone's "Sent Mail" and takes recipients/subjects to produce credible email appearances.
I have recently been receiving infection notifications from old list posts but the posts did not contain a virus. Some AV vendors appear to have stepped up their detection of potentially hostile OBJECT tags (detecting HTML/Exploit or similar), probably as a result of the new Bagel variants. Many list messages contain snippets of hostile code for discussion purposes, and it is pretty common for AV to find new "viruses" in posts that have been sitting in message stores for ages. One such false positive notification: <quote> Antigen for Exchange found Unknown infected with VIRUS= HTML/Exploit_base (Norman) virus. The file is currently Removed. The message, "RE: Proxy attackers/hijackers", was sent from James C. Slora, Jr. and was discovered in (location deleted for privacy). </quote> The only new worm I know of that behaves similarly is Lovgate.N. Lovgate.N replies as messages arrive but does not appear to go through old messages. The behavior you see does not quite match Lovgate.N if I understand the description correctly. http://www.sarc.com/avcenter/venc/data/w32.hllw.lovgate.n () mm html Of course you have to prove to yourself exactly what you are seeing. What detection do your heuristics list? Does the message generate the detection or does an attachment? Have you submitted samples to AV vendors? --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040301 ----------------------------------------------------------------------------
Current thread:
- New virus? Rob Shein (Mar 20)
- Re: New virus? James C. Slora Jr. (Mar 22)
- <Possible follow-ups>
- Re: New virus? travis.abrams (Mar 20)