Re: New virus?

["James C. Slora Jr." <Jim.Slora () phra com>]

"Rob Shein" wrote Friday, March 19, 2004 5:44 PM

> I'm seeing a lot of something here, and luckily our filters seem
> to be stopping it with heuristics; it's being quarantined, but it's
> not identified as any particular virus. I'm seeing emails to people
> who would normally be getting security-related mails (like
> SANS bulletins, etc.) and subject lines of such
> notifications...except that the vulnerabilities listed in the emails
> are from last year, and in ever case it's a forwarded or replied
> to email subject (starting with "FW:" or "RE:").  I'm wondering
> if there's a virus that goes through someone's "Sent Mail" and
> takes recipients/subjects to produce credible email appearances.

I have recently been receiving infection notifications from old list posts
but the posts did not contain a virus. Some AV vendors appear to have
stepped up their detection of potentially hostile OBJECT tags (detecting
HTML/Exploit or similar), probably as a result of the new Bagel variants.
Many list messages contain snippets of hostile code for discussion purposes,
and it is pretty common for AV to find new "viruses" in posts that have been
sitting in message stores for ages.

One such false positive notification:
<quote>
Antigen for Exchange found Unknown infected with VIRUS= HTML/Exploit_base
(Norman) virus.
The file is currently Removed.  The message, "RE: Proxy
attackers/hijackers", was
sent from James C. Slora, Jr. and was discovered in (location deleted for
privacy).
</quote>

The only new worm I know of that behaves similarly is Lovgate.N. Lovgate.N
replies as messages arrive but does not appear to go through old messages.
The behavior you see does not quite match Lovgate.N if I understand the
description correctly.
http://www.sarc.com/avcenter/venc/data/w32.hllw.lovgate.n () mm html

Of course you have to prove to yourself exactly what you are seeing. What
detection do your heuristics list? Does the message generate the detection
or does an attachment? Have you submitted samples to AV vendors?



---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------