klez variant??

From: Peter Snell (PSnell@daymon.com)
Date: 01/30/03

Next message: Kurt Seifried: "Re: Packet from port 80 with spoofed microsoft.com ip"

Previous message: Tomasz Papszun: "Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Next in thread: Stephen A. Santos: "RE: klez variant??"
Maybe reply: Stephen A. Santos: "RE: klez variant??"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Peter Snell <PSnell@daymon.com>
To: Incidents@securityfocus.com
Date: Thu, 30 Jan 2003 13:11:25 -0500

Over the past 2 days, we have been seeing a resurgence of Klez type
activity. However, this appears to be getting past our a/v software. The
symptoms we see are:

- spoofed email address
- unusual subject
- no body
- attachments with .scr, .bat, .exe, .jpg extensions (there may be others,
but this is what we've examined so far)
- when the email is opened, even in preview pane, it launches Media Player
but is unable to find the specified file.

Has anyone else seen this type of activity lately, or have any thoughts on
this?

Thanks,

Peter

Peter Snell, MCP
LAN Admin
Daymon Associates
* (210) 299-8164
* psnell@daymon.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Next message: Kurt Seifried: "Re: Packet from port 80 with spoofed microsoft.com ip"
Previous message: Tomasz Papszun: "Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Next in thread: Stephen A. Santos: "RE: klez variant??"
Maybe reply: Stephen A. Santos: "RE: klez variant??"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]