VIRUS (Worm.SCO.A) IN YOUR MAIL (fwd)

[jjohnson at sunrise-linux.com (miah)]

also.. you should notice that the virus will spoof the from address.  probably from a list of addresses it got from the system it infected.

http://www.symantec.com/avcenter/venc/data/w32.novarg.a at mm.html

-miah

On Tue, Jan 27, 2004 at 12:21:12PM -0500, gboyce at badbelly.com wrote:
> http://www.f-secure.com/v-descs/novarg.shtml
> 
> It appears that the latest worm will autosend e-mails.  It's possible that 
> the recipient may vary as well (Other worms have done that).  It also can 
> autosend e-mail with a subject line of "Mail Transaction Failed" or "Mail 
> Delivery System".  Lovely.
> 
> On Tue, 27 Jan 2004, David Kramer wrote:
> 
> > 
> > I just got this.  As far as I know, my relays are closed tight and my 
> > firewall is solid.  Is this spam?
> > 
> > Could someone try relaying through thekramers.net and let me know if it 
> > fails or succeeds?
> > 
> > I can't see anything I sent to them:
> > [root at uni /var/log]# grep surfnet.nl *
> > [root at uni /var/log]# grep hsbos.nl *
> > mail:Jan 27 08:39:27 uni postfix/smtpd[14647]: connect from 
> > mail.hsbos.nl[192.87.129.131]
> > mail:Jan 27 08:39:27 uni postfix/smtpd[14647]: B08F31C6C9: 
> > client=mail.hsbos.nl[192.87.129.131]
> > mail:Jan 27 08:39:28 uni postfix/cleanup[14649]: B08F31C6C9: 
> > message-id=<VSXXD4dveo at mail.hsbos.nl>
> > mail:Jan 27 08:39:28 uni spamd[14720]: processing message 
> > <VSXXD4dveo at mail.hsbos.nl> for david:500.
> > mail:Jan 27 08:39:28 uni postfix/smtpd[14647]: disconnect from 
> > mail.hsbos.nl[192.87.129.131]
> > mail.info:Jan 27 08:39:27 uni postfix/smtpd[14647]: connect from 
> > mail.hsbos.nl[192.87.129.131]
> > mail.info:Jan 27 08:39:27 uni postfix/smtpd[14647]: B08F31C6C9: 
> > client=mail.hsbos.nl[192.87.129.131]
> > mail.info:Jan 27 08:39:28 uni postfix/cleanup[14649]: B08F31C6C9: 
> > message-id=<VSXXD4dveo at mail.hsbos.nl>
> > mail.info:Jan 27 08:39:28 uni spamd[14720]: processing message 
> > <VSXXD4dveo at mail.hsbos.nl> for david:500.
> > mail.info:Jan 27 08:39:28 uni postfix/smtpd[14647]: disconnect from 
> > mail.hsbos.nl[192.87.129.131]
> > 
> > 
> > Remaining secure is a priority for me, so please help me out and let me 
> > know what you think.  See attached message.
> > 
> > --
> > DDDD   David Kramer         david at thekramers.net       http://thekramers.net
> > DK KD
> > DKK D  Buckle up for safety!
> > DK KD  It makes it harder for the aliens to suck you out of your car.
> > DDDD   
> > 
> > 
> > 
> > 
> > ---------- Forwarded message ----------
> > Date: Tue, 27 Jan 2004 14:39:36 +0100 (CET)
> > From: Anti-Virus <virusmelding at hsbos.nl>
> > To: david at thekramers.net
> > Subject: VIRUS (Worm.SCO.A) IN YOUR MAIL
> > 
> > VIRUS ALERT
> > 
> > Our virus checker found
> >     virus: Worm.SCO.A
> > in your email to the following recipient:
> > -> pschouten at hsbos.nl
> > 
> > Delivery of the email was stopped!
> > 
> > Please check your system for viruses,
> > or ask your system administrator to do so.
> > 
> > For your reference, here are headers from your email:
> > ------------------------- BEGIN HEADERS -----------------------------
> > Received: from thekramers.net (unknown [65.203.121.147])
> > 	by relay.surfnet.nl (Postfix) with ESMTP id AF6C63F461
> > 	for <pschouten at hsbos.nl>; Tue, 27 Jan 2004 14:37:23 +0100 (MET)
> > From: david at thekramers.net
> > To: pschouten at hsbos.nl
> > Subject: Mail Delivery System
> > Date: Tue, 27 Jan 2004 07:38:47 -0600
> > MIME-Version: 1.0
> > Content-Type: multipart/mixed;
> > 	boundary="----=_NextPart_000_0010_EE6E125F.674244BF"
> > X-Priority: 3
> > X-MSMail-Priority: Normal
> > Message-Id: <20040127133723.AF6C63F461 at relay.surfnet.nl>
> > -------------------------- END HEADERS ------------------------------
> 
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://www.blu.org/mailman/listinfo/discuss