RE: klez variant??

From: Stephen A. Santos (ssantos@wachsco.com)
Date: 01/31/03

  • Next message: Chris: "Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)" 
    Date: Fri, 31 Jan 2003 11:27:05 -0600
From: "Stephen A. Santos" <ssantos@wachsco.com>
To: <Incidents@securityfocus.com>

    I have seen increased Klez activity, but all have been stop by our AV,
    with is Symantec newest version. Haven't noticed any other activity
    outside of what has been stopped.

    ===================
    Stephen A Santos
    Network Administrator

    -----Original Message-----
    From: Peter Snell [mailto:PSnell@daymon.com]
    Sent: Thursday, January 30, 2003 12:11 PM
    To: Incidents@securityfocus.com
    Subject: klez variant??

    Over the past 2 days, we have been seeing a resurgence of Klez type
    activity. However, this appears to be getting past our a/v software.
    The symptoms we see are:

    - spoofed email address
    - unusual subject
    - no body
    - attachments with .scr, .bat, .exe, .jpg extensions (there may be
    others, but this is what we've examined so far)
    - when the email is opened, even in preview pane, it launches Media
    Player but is unable to find the specified file.

    Has anyone else seen this type of activity lately, or have any thoughts
    on this?

    Thanks,

    Peter

    Peter Snell, MCP
    LAN Admin
    Daymon Associates
    * (210) 299-8164
    * psnell@daymon.com

    ------------------------------------------------------------------------ 

    ----
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com