Re: Worm.SCO.A

From: Ricardo Oliva (ricardo_at_zoology.ubc.ca)
Date: 01/28/04

  • Next message: Dan Bartley: "RE: Worm.SCO.A (W32/Mydoom@MM)" 
    Date: Tue, 27 Jan 2004 16:14:03 -0800
To: "Shawn Jackson" <sjackson@horizonusa.com>

    I have come across this one on a server using Clamav that has users
    being migrated to it as we speak, so there is still not much activity
    on it. I also tried to find a naming comparison with other vendors but
    Clamav does not seems to offer that.

    Anyway, the characteristics of the message attachments and the name
    SCO.A does tell me that it could be how they call the Mydoom virus,
    since the DOS attack points to www.sco.com. But that is just my guess.
    And the date and time of the updates (I have freshclam running every
    hour and log those connections) does match the ones other vendors
    released for Mydoom ( or whatever you want to call it ).

    Cheers, 

    --
Ricardo Oliva
Core Systems Administrator
Zoology Department
University of British Columbia
Ph.: 604-822-3882
E-mail: ricardo@zoology.ubc.ca
On 26-Jan-04, at 2:38 PM, Shawn Jackson wrote:
>
> 	Anyone else encountering this? I've just got hammered with a few
> hundred of these in the last hour and a half and I can't quite discern
> what exactly the virii is. There doesn't seam to be a map from ClamAV
> virus naming format to any other. Anyone have a clue of what this virus
> is?
>
> 	I looked at the quarantine, and it seamed to be just the virii
> payload and no content, file.pif.exe. I've also seen it as a file.zip,
> doc.zip, document.zip, document.pif, rhn.scr, data.zip, message.zip,
> test.zip. There could be more, but I just don't have the time to check
> the payload on all the messages.
>
> -------------------AMAVIS REPORT------------------
> A virus (Worm.SCO.A) was found.
>
> Two banned names (file.pif, .exe) were found.
>
> Scanner detecting a virus: Clam Antivirus-clamd
>
> The mail originated from: <ctccyc@aol.com>
>
> According to the 'Received:' trace, the message originated at:
>    aol.com (unknown [12.9.171.xxx])	
>
> The message WAS NOT delivered to:
> <xxx@horizonusa.com>:
>    550 5.7.1 Message content rejected, id=28441-07 - VIRUS: Worm.SCO.A
>
> Virus scanner output:
>    /var/amavisd/tmp/amavis-20040126T141220-28441/parts/part-00002:
> Worm.SCO.A FOUND
>
> The message has been quarantined as:
>    /var/amavisd/quarantine/virus-20040126-141800-28441-07
>
> ------------------------- BEGIN HEADERS -----------------------------
> Return-Path: <xxxxx@aol.com>
> Received: from aol.com (unknown [12.9.171.xxx])
> 	by mta1.horizonusa.com (Postfix) with ESMTP id DFA572D8106
> 	for <ted@horizonusa.com>; Mon, 26 Jan 2004 14:17:59 -0800 (PST)
> From: xxxx@aol.com
> To: xxx@horizonusa.com
> Subject:
> Date: Mon, 26 Jan 2004 14:17:47 -0800
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> 	boundary="----=_NextPart_000_0010_465EEF13.4CF1817C"
> X-Priority: 3
> X-MSMail-Priority: Normal
> Message-Id: <20040126221759.DFA572D8106@mta1.horizonusa.com>
> -------------------------- END HEADERS ------------------------------
>
> Shawn Jackson
> Systems Administrator
> Horizon USA
> 1190 Trademark Dr #107
> Reno NV 89521
>
> www.horizonusa.com
> Email: sjackson@horizonusa.com
> Phone: (775) 858-2338
>              (800) 325-1199 x338
>
> ----------------------------------------------------------------------- 
> ----
> Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off  
> any
> course! All of our class sizes are guaranteed to be 10 students or  
> less.
> We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion  
> Prevention,
> and many other technical hands on courses.
> Visit us at http://www.infosecinstitute.com/securityfocus to get $720  
> off
> any course!
> ----------------------------------------------------------------------- 
> -----
>
---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------
  • Next message: Dan Bartley: "RE: Worm.SCO.A (W32/Mydoom@MM)"

    Relevant Pages

    • RE: email address "spoofed"
      ... it's a virus that's actually sending copies of itself. ... > Ethical Hacking at the InfoSec Institute. ... > pen testing experience in our state of the art hacking lab. ... to facilitate one-on-one interaction with one of our expert instructors. ...
      (Security-Basics)
    • Re: Returned Mails
      ... > they have been returned as I have a virus. ... > Ethical Hacking at the InfoSec Institute. ... > pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)
    • Re: clamav
      ... > the virus updates from the net, how to setup the clamav if there is ... > any virus then repair or delete the file, ... ClamAV comes with the freshclam service to do automatic virus signature ... > it.Do i have to download updates regularly for Mailscanner just like ...
      (Fedora)
    • Re: How to get rid of two trojans
      ... The AVG search is preaty crapy, I had several problems looking for ... site virus database. ... >Ethical Hacking at the InfoSec Institute. ... >pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)
    • Re: Worm.SCO.A
      ... We've been dealing with Mydoom today, ... Anyone have a clue of what this virus ... > We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion ... > and many other technical hands on courses. ...
      (Security-Basics)