RE: Worm.SCO.A
From: Shawn Jackson (sjackson_at_horizonusa.com)
Date: 01/29/04
- Previous message: mike_at_genxweb.net: "Re: Help installing Nmap"
- Maybe in reply to: Shawn Jackson: "Worm.SCO.A"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 29 Jan 2004 10:00:16 -0800 To: "Hamish Stanaway" <koremeltdown@hotmail.com>, <security-basics@securityfocus.com>
Worm.SCO.A maps to Novarg (F-Secure), W32.Novarg.A@mm (Symantec),
W32/Mydoom.a@MM, Win32.Mydoom.A (CA), Win32/Shimg (CA), WORM_MIMAIL.R
(Trend). It is not a MIMAIL variant as Trend Micro suspected so AV DEF
looking for MIMAIL and the ilk will miss the virii. I haven't received
any Mydoom.B virii so I don't know what ClamAV will call that
(Worm.SCO.B or Worm.MICROSOFT.A, whatever).
Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521
www.horizonusa.com
Email: sjackson@horizonusa.com
Phone: (775) 858-2338
(800) 325-1199 x338
-----Original Message-----
From: Hamish Stanaway [mailto:koremeltdown@hotmail.com]
Sent: Wednesday, January 28, 2004 2:05 AM
To: Shawn Jackson; security-basics@securityfocus.com
Subject: RE: Worm.SCO.A
Hi there,
I just wanted to let Shawn and others know that you are not alone, I too
have recieved several copies of this mail in the past 24 hours, and am
beginning to wonder what it is.
Kindest of regards,
Hamish Stanaway
Absolute Web Hosting
Owner/Operator
Auckland
New Zealand
http://www.webhosting.net.nz
http://www.buywebhosting.co.nz
>From: "Shawn Jackson" <sjackson@horizonusa.com>
>To: <security-basics@securityfocus.com>
>Subject: Worm.SCO.A
>Date: Mon, 26 Jan 2004 14:38:23 -0800
>MIME-Version: 1.0
>Received: from outgoing2.securityfocus.com ([205.206.231.26]) by
>mc8-f31.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Wed, 28 Jan
2004
>00:55:31 -0800
>Received: from lists.securityfocus.com (lists.securityfocus.com
>[205.206.231.19])by outgoing2.securityfocus.com (Postfix) with QMQPid
>796F08F81A; Tue, 27 Jan 2004 10:41:15 -0700 (MST)
>Received: (qmail 26490 invoked from network); 26 Jan 2004 23:04:45
-0000
>X-Message-Info: 6sSXyD95QpVARocLih1tSEi4bFjjlIQ9
>Mailing-List: contact security-basics-help@securityfocus.com; run by
ezmlm
>Precedence: bulk
>List-Id: <security-basics.list-id.securityfocus.com>
>List-Post: <mailto:security-basics@securityfocus.com>
>List-Help: <mailto:security-basics-help@securityfocus.com>
>List-Unsubscribe:
<mailto:security-basics-unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:security-basics-subscribe@securityfocus.com>
>Delivered-To: mailing list security-basics@securityfocus.com
>Delivered-To: moderator for security-basics@securityfocus.com
>content-class: urn:content-classes:message
>X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
>Message-ID: <EA4A7785EECF644493D88EB58A80992D8DFA9C@hzmail.horizon.lcl>
>X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Worm.SCO.A
>Thread-Index: AcPkUphWt8utkfEfQyGl0VstP6ZDrwAAr/nwAAGI2jA=
>X-Virus-Scanned: HorizonUSA Mail Security System
>Return-Path:
>security-basics-return-26478-koremeltdown=hotmail.com@securityfocus.com
>X-OriginalArrivalTime: 28 Jan 2004 08:55:31.0563 (UTC)
>FILETIME=[7C00ABB0:01C3E57C]
>
>
> Anyone else encountering this? I've just got hammered with a few
>hundred of these in the last hour and a half and I can't quite discern
>what exactly the virii is. There doesn't seam to be a map from ClamAV
>virus naming format to any other. Anyone have a clue of what this virus
>is?
>
> I looked at the quarantine, and it seamed to be just the virii
payload
>and no content, file.pif.exe. I've also seen it as a file.zip, doc.zip,
>document.zip, document.pif, rhn.scr, data.zip, message.zip, test.zip.
>There could be more, but I just don't have the time to check the
>payload on all the messages.
>
>-------------------AMAVIS REPORT------------------
>A virus (Worm.SCO.A) was found.
>
>Two banned names (file.pif, .exe) were found.
>
>Scanner detecting a virus: Clam Antivirus-clamd
>
>The mail originated from: <ctccyc@aol.com>
>
>According to the 'Received:' trace, the message originated at:
> aol.com (unknown [12.9.171.xxx])
>
>The message WAS NOT delivered to:
><xxx@horizonusa.com>:
> 550 5.7.1 Message content rejected, id=28441-07 - VIRUS: Worm.SCO.A
>
>Virus scanner output:
> /var/amavisd/tmp/amavis-20040126T141220-28441/parts/part-00002:
>Worm.SCO.A FOUND
>
>The message has been quarantined as:
> /var/amavisd/quarantine/virus-20040126-141800-28441-07
>
>------------------------- BEGIN HEADERS -----------------------------
>Return-Path: <xxxxx@aol.com>
>Received: from aol.com (unknown [12.9.171.xxx])
> by mta1.horizonusa.com (Postfix) with ESMTP id DFA572D8106
> for <ted@horizonusa.com>; Mon, 26 Jan 2004 14:17:59 -0800 (PST)
>From: xxxx@aol.com
>To: xxx@horizonusa.com
>Subject:
>Date: Mon, 26 Jan 2004 14:17:47 -0800
>MIME-Version: 1.0
>Content-Type: multipart/mixed;
> boundary="----=_NextPart_000_0010_465EEF13.4CF1817C"
>X-Priority: 3
>X-MSMail-Priority: Normal
>Message-Id: <20040126221759.DFA572D8106@mta1.horizonusa.com>
>-------------------------- END HEADERS ------------------------------
>
>Shawn Jackson
>Systems Administrator
>Horizon USA
>1190 Trademark Dr #107
>Reno NV 89521
>
>www.horizonusa.com
>Email: sjackson@horizonusa.com
>Phone: (775) 858-2338
> (800) 325-1199 x338
>
>-----------------------------------------------------------------------
>----
>Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off
any
>course! All of our class sizes are guaranteed to be 10 students or
less.
>We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion
Prevention,
>and many other technical hands on courses.
>Visit us at http://www.infosecinstitute.com/securityfocus to get $720
off
>any course!
>-----------------------------------------------------------------------
-----
>
_________________________________________________________________
Find high-speed 'net deals - comparison-shop your local providers here.
https://broadband.msn.com
------------------------------------------------------------------------
--- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ----------------------------------------------------------------------------
- Previous message: mike_at_genxweb.net: "Re: Help installing Nmap"
- Maybe in reply to: Shawn Jackson: "Worm.SCO.A"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
