I have had like 4 users call and tell me that they’re receiving email from admin@ourdomainname with a unidentified attachment, possibly a worm that exploits the new Microsoft vulnerability last week, all 4 of these people reported that their updated this morning antivirus software missed it.
FYI.
Thus spake Drew Weaver (drew.weaver@thenap.com) [01/08/03 14:25]:
I have had like 4 users call and tell me that they're receiving
email from admin@ourdomainname with a unidentified attachment, possibly a
worm that exploits the new Microsoft vulnerability last week, all 4 of these
people reported that their updated this morning antivirus software missed
it.
The latest NAI definitions catch it as Exploit-Codebase (which I *think* is
just a general catchall). We have an open ticket with F-Prot for this, and
are currently waiting on updated definitions from them.
- Damian
That's funny, I had atleast one person here receive a similar email which
was forwarded on to me. I ran it through McAfee (4.5.1 engine, 4.0.4280
DAT) and it picked it right up (Trojan Name: Exploit-Code Base
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=99383).
Potentially it's a different incident than what they are talking about but
the admin@domainname and the attachment are similar (it was a zip file
containing an html file [according to the extensions]).
Forrest
I've captured this guy here actually directed at me.
<thank goodness for pine:)>
It appears to attach itself as message.zip not sure if it attaches using
other names.
Friday, August 1, 2003, 11:45:25 AM, you wrote:
I have had like 4 users call and tell me that they're receiving
email from admin@ourdomainname with a unidentified attachment, possibly a
worm that exploits the new Microsoft vulnerability last week, all 4 of these
people reported that their updated this morning antivirus software missed
it.
I believe it is this:
I've overheard the same calls starting this morning also, all
pertaining to emails supposedly from admin@ourdomain.com.
Regards,
Joe Boyce
http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.a@mm.
html
Bob German, CISSP, CCNA, MCSE
Sr Systems Engineer
Irides, LLC
Forrest Houston
<fhouston@east.is To: Drew Weaver <drew.weaver@thenap.com>
i.edu> cc: "'nanog@merit.edu'" <nanog@merit.edu>
Sent by: Subject: Re: maybe this should be on sec focus but.
owner-nanog@merit
.edu
08/01/2003 02:28
PM
That's funny, I had atleast one person here receive a similar email which
was forwarded on to me. I ran it through McAfee (4.5.1 engine, 4.0.4280
DAT) and it picked it right up (Trojan Name: Exploit-Code Base
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=99383).
Potentially it's a different incident than what they are talking about but
the admin@domainname and the attachment are similar (it was a zip file
containing an html file [according to the extensions]).
Forrest
I have had like 4 users call and tell me that they're
receiving
email from admin@ourdomainname with a unidentified attachment, possibly a
worm that exploits the new Microsoft vulnerability last week, all 4 of
these