Re: Virus? Trojan?

• Previous message: Michael Katz: "Re: Hacked web server"
• In reply to: Nick FitzGerald: "RE: Virus? Trojan?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 12 Jan 2003 21:28:15 -0500
From: "James C. Slora Jr." <Jim.Slora@phra.com>
To: nick@virus-l.demon.co.uk, 'Incidents List' <incidents@securityfocus.com>

Nick FitzGerald wrote Sunday, January 12, 2003 6:39 PM

> Yaha.K was discovered before Christmas, and although that machine
> seemed to start spewing out Yaha Email as Yaha.M was first being
> reported, it is not infected with Yaha.M but with Yaha.K as a simple
> anaylsis of the file attached to its Email shows.

Thanks for the correction.

I looked at headers and message text, and I stripped the attachments without
analyzing them.

Headers and message body options are AFAICT the same between K and M and
match no other other circulating worms, based on Trend Micro and Symantec
descriptions. My original determination that the infection was M rather than
K was based on David Gillett's assertion that Norton (unspecified product)
did not detect a worm in the message at a time when definitions detecting K
were already available.

When the new messages arrived, they were apparently more of the same and I
reported them as such. For notification purposes I believe that this
admittedly imprecise analysis was adequate, despite my incorrect conclusion.

For the sake of absolute correctness I should not have specified the
infection as Yaha-M when I had never performed a positive binary analysis of
the attachment - I should have just said maybe "apparently one of the newer
varieties of the Yaha family of worms, based on message headers and text".

> I agree that the sender may be on this list or a frequenter of the
> archives. If you are reading this and are a cable (the "kbl" of
> "kbl-zrz2519.zeelandnet.nl" is, at a guess a contraction of the Dutch
> for "cable")customer of zeelandnet.nl, please head to one of the AV
> sites for a description of Yaha.K (or one of the names above!) and
> find out how to fix it and then do something about getting protected
> so as to reduce the likelihood of becoming infected again.

> > Since the infections are still coming I've notified the administrator of
> > zeelandnet.nl - hopefully they will hunt the user down and help them
clear
> > the infection.
>
> So have I -- the problem is they decided the best action was to
> prevent that IP accessing their mail server:
>
> Thanks for the message.
>
> The user is blocked for outgoing e-mail to block this virus.
>
> As they don't really say how or what they have blocked, and the
> messages keep coming, I guess they have blocked access to their own
> mail servers, which the virus will not try to use except when it
> tries to send itself to an address for which a zeelandnet.nl mail
> server is the mail-exchanger (AFAICT, Yaha.K's SMTP engine tries to
> resolve MX records in the DNS then sends its mail directly to that
> SMTP server rather than relying on any "local" SMTP servers to relay
> for it).

Thanks for sharing their response. I have not received anything from
zeelandnet.nl administrators beyond the initial automated response. I have
also not received any more infected messages from the offender since
submitting the notification (which of course doesn't prove anything).

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Next message: sunzi: "Re: Hacked web server"
• Previous message: Michael Katz: "Re: Hacked web server"
• In reply to: Nick FitzGerald: "RE: Virus? Trojan?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]