RE: Worm.SCO.A

From: Shawn Jackson (sjackson_at_horizonusa.com)
Date: 01/29/04

  • Next message: Jude Naidoo: "Re: Internal Instant Messaging"
    Date: Thu, 29 Jan 2004 10:00:16 -0800
    To: "Hamish Stanaway" <koremeltdown@hotmail.com>, <security-basics@securityfocus.com>
    
    

    Worm.SCO.A maps to Novarg (F-Secure), W32.Novarg.A@mm (Symantec),
    W32/Mydoom.a@MM, Win32.Mydoom.A (CA), Win32/Shimg (CA), WORM_MIMAIL.R
    (Trend). It is not a MIMAIL variant as Trend Micro suspected so AV DEF
    looking for MIMAIL and the ilk will miss the virii. I haven't received
    any Mydoom.B virii so I don't know what ClamAV will call that
    (Worm.SCO.B or Worm.MICROSOFT.A, whatever).

    Shawn Jackson
    Systems Administrator
    Horizon USA
    1190 Trademark Dr #107
    Reno NV 89521

    www.horizonusa.com
    Email: sjackson@horizonusa.com
    Phone: (775) 858-2338
                 (800) 325-1199 x338

    -----Original Message-----
    From: Hamish Stanaway [mailto:koremeltdown@hotmail.com]
    Sent: Wednesday, January 28, 2004 2:05 AM
    To: Shawn Jackson; security-basics@securityfocus.com
    Subject: RE: Worm.SCO.A

    Hi there,

    I just wanted to let Shawn and others know that you are not alone, I too

    have recieved several copies of this mail in the past 24 hours, and am
    beginning to wonder what it is.

    Kindest of regards,

    Hamish Stanaway

    Absolute Web Hosting
    Owner/Operator
    Auckland
    New Zealand

    http://www.webhosting.net.nz
    http://www.buywebhosting.co.nz

    >From: "Shawn Jackson" <sjackson@horizonusa.com>
    >To: <security-basics@securityfocus.com>
    >Subject: Worm.SCO.A
    >Date: Mon, 26 Jan 2004 14:38:23 -0800
    >MIME-Version: 1.0
    >Received: from outgoing2.securityfocus.com ([205.206.231.26]) by
    >mc8-f31.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Wed, 28 Jan
    2004
    >00:55:31 -0800
    >Received: from lists.securityfocus.com (lists.securityfocus.com
    >[205.206.231.19])by outgoing2.securityfocus.com (Postfix) with QMQPid
    >796F08F81A; Tue, 27 Jan 2004 10:41:15 -0700 (MST)
    >Received: (qmail 26490 invoked from network); 26 Jan 2004 23:04:45
    -0000
    >X-Message-Info: 6sSXyD95QpVARocLih1tSEi4bFjjlIQ9
    >Mailing-List: contact security-basics-help@securityfocus.com; run by
    ezmlm
    >Precedence: bulk
    >List-Id: <security-basics.list-id.securityfocus.com>
    >List-Post: <mailto:security-basics@securityfocus.com>
    >List-Help: <mailto:security-basics-help@securityfocus.com>
    >List-Unsubscribe:
    <mailto:security-basics-unsubscribe@securityfocus.com>
    >List-Subscribe: <mailto:security-basics-subscribe@securityfocus.com>
    >Delivered-To: mailing list security-basics@securityfocus.com
    >Delivered-To: moderator for security-basics@securityfocus.com
    >content-class: urn:content-classes:message
    >X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
    >Message-ID: <EA4A7785EECF644493D88EB58A80992D8DFA9C@hzmail.horizon.lcl>
    >X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Worm.SCO.A
    >Thread-Index: AcPkUphWt8utkfEfQyGl0VstP6ZDrwAAr/nwAAGI2jA=
    >X-Virus-Scanned: HorizonUSA Mail Security System
    >Return-Path:
    >security-basics-return-26478-koremeltdown=hotmail.com@securityfocus.com
    >X-OriginalArrivalTime: 28 Jan 2004 08:55:31.0563 (UTC)
    >FILETIME=[7C00ABB0:01C3E57C]
    >
    >
    > Anyone else encountering this? I've just got hammered with a few

    >hundred of these in the last hour and a half and I can't quite discern
    >what exactly the virii is. There doesn't seam to be a map from ClamAV
    >virus naming format to any other. Anyone have a clue of what this virus

    >is?
    >
    > I looked at the quarantine, and it seamed to be just the virii
    payload
    >and no content, file.pif.exe. I've also seen it as a file.zip, doc.zip,

    >document.zip, document.pif, rhn.scr, data.zip, message.zip, test.zip.
    >There could be more, but I just don't have the time to check the
    >payload on all the messages.
    >
    >-------------------AMAVIS REPORT------------------
    >A virus (Worm.SCO.A) was found.
    >
    >Two banned names (file.pif, .exe) were found.
    >
    >Scanner detecting a virus: Clam Antivirus-clamd
    >
    >The mail originated from: <ctccyc@aol.com>
    >
    >According to the 'Received:' trace, the message originated at:
    > aol.com (unknown [12.9.171.xxx])
    >
    >The message WAS NOT delivered to:
    ><xxx@horizonusa.com>:
    > 550 5.7.1 Message content rejected, id=28441-07 - VIRUS: Worm.SCO.A
    >
    >Virus scanner output:
    > /var/amavisd/tmp/amavis-20040126T141220-28441/parts/part-00002:
    >Worm.SCO.A FOUND
    >
    >The message has been quarantined as:
    > /var/amavisd/quarantine/virus-20040126-141800-28441-07
    >
    >------------------------- BEGIN HEADERS -----------------------------
    >Return-Path: <xxxxx@aol.com>
    >Received: from aol.com (unknown [12.9.171.xxx])
    > by mta1.horizonusa.com (Postfix) with ESMTP id DFA572D8106
    > for <ted@horizonusa.com>; Mon, 26 Jan 2004 14:17:59 -0800 (PST)
    >From: xxxx@aol.com
    >To: xxx@horizonusa.com
    >Subject:
    >Date: Mon, 26 Jan 2004 14:17:47 -0800
    >MIME-Version: 1.0
    >Content-Type: multipart/mixed;
    > boundary="----=_NextPart_000_0010_465EEF13.4CF1817C"
    >X-Priority: 3
    >X-MSMail-Priority: Normal
    >Message-Id: <20040126221759.DFA572D8106@mta1.horizonusa.com>
    >-------------------------- END HEADERS ------------------------------
    >
    >Shawn Jackson
    >Systems Administrator
    >Horizon USA
    >1190 Trademark Dr #107
    >Reno NV 89521
    >
    >www.horizonusa.com
    >Email: sjackson@horizonusa.com
    >Phone: (775) 858-2338
    > (800) 325-1199 x338
    >
    >-----------------------------------------------------------------------
    >----
    >Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off
    any
    >course! All of our class sizes are guaranteed to be 10 students or
    less.
    >We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion
    Prevention,
    >and many other technical hands on courses.
    >Visit us at http://www.infosecinstitute.com/securityfocus to get $720
    off
    >any course!
    >-----------------------------------------------------------------------
    -----
    >

    _________________________________________________________________
    Find high-speed 'net deals - comparison-shop your local providers here.
    https://broadband.msn.com

    ------------------------------------------------------------------------

    ---
    Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off
    any 
    course! All of our class sizes are guaranteed to be 10 students or less.
    We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion
    Prevention, 
    and many other technical hands on courses. 
    Visit us at http://www.infosecinstitute.com/securityfocus to get $720
    off 
    any course!  
    ------------------------------------------------------------------------
    ----
    ---------------------------------------------------------------------------
    Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
    course! All of our class sizes are guaranteed to be 10 students or less. 
    We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
    and many other technical hands on courses. 
    Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
    any course!  
    ----------------------------------------------------------------------------
    

  • Next message: Jude Naidoo: "Re: Internal Instant Messaging"

    Relevant Pages

    • RE: Worm.SCO.A
      ... > can't quite discern what exactly the virii is. ... > seam to be a map from ClamAV virus naming format to any ... We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, ...
      (Security-Basics)
    • Re: Worm.SCO.A
      ... Clamav does not seems to offer that. ... SCO.A does tell me that it could be how they call the Mydoom virus, ... > Ethical Hacking at InfoSec Institute. ... > We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion ...
      (Security-Basics)
    • RE: email address "spoofed"
      ... it's a virus that's actually sending copies of itself. ... > Ethical Hacking at the InfoSec Institute. ... > pen testing experience in our state of the art hacking lab. ... to facilitate one-on-one interaction with one of our expert instructors. ...
      (Security-Basics)
    • Re: Returned Mails
      ... > they have been returned as I have a virus. ... > Ethical Hacking at the InfoSec Institute. ... > pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)
    • Re: How to get rid of two trojans
      ... The AVG search is preaty crapy, I had several problems looking for ... site virus database. ... >Ethical Hacking at the InfoSec Institute. ... >pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)