[pmmail-list] Filter for newest virus
Kenneth Porter
pmmail-list@blueprintsoftwareworks.com
Tue, 27 Nov 2001 07:40:07 -0800
On Tue, 27 Nov 2001 09:35:11 -0500, Allan McLane wrote:
>Here is part of a message that contained the Badtrans virus that we received at the ISP I provide support for. Every one so far seems to share these two characteristics: aol.com as the hostname and an underscore as the leading character in the From address.
I have one that lacks the underscore. 8 others have the underscore.
All seem to have the aol.com in the transmission path, but one puts it
in a "helo=aol.com" comment, so it appears that the worm connects to
the SMTP server and uses "HELO aol.com" to begin the submission, and
this particular sample went to an SMTP server that fights forgery.
All appear to have no plaintext body, and a simple HTML body with just
a background color and an iframe pointing at the attachment.
Comparing the first few lines of the encoded attachment on a few
messages indicates that the payloads are identical. The name and type
vary but always follow the double-extension pattern seen in SirCam.
Ken
mailto:shiva@well.com
http://www.sewingwitch.com/ken/
[If answering a mailing list posting, please don't cc me your reply. I'll take my answer on the list.]
- pmmail-list - The PMMail Dicussion List ---------------------------
To POST to the list, send your message to:
pmmail-list@blueprintsoftwareworks.com
To UNSUBSCRIBE, send a message to mdaemon@bmtmicro.com with the first
line of the message body being...
UNSUBSCRIBE pmmail-list@blueprintsoftwareworks.com
---------------------------------------------------------------------