Re: [sniffer] New Spam/Virus?
On Monday, June 6, 2005, 5:13:19 PM, Jim wrote: JM Is anyone else seeing a huge rash of spam/virus messages in JM the last hour or so? I have multiple users that are getting JM messages that are forging our own addresses and have a link that JM appears to go to our website but instead goes elsewhere with a IP JM address link. These do not appear to be infecting as file JM attachments but from the web link itself. Pete, I have forwarded JM a few to your spam@ address, let me know what you think. I will go and check it out. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] New Spam/Virus?
Title: Message I'm seeing what Scott sees, but the payload is an encrypted zip. VirusTotal.com says: This is a report processed by VirusTotal on 06/06/2005 at 23:40:17 (CET) after scanning the file "DBB05F6330082B871.SMD" file. Antivirus Version Update Result AntiVir 6.30.0.15 06.06.2005 no virus found AVG 718 06.06.2005 no virus found Avira 6.30.0.15 06.06.2005 no virus found BitDefender 7.0 06.06.2005 no virus found ClamAV devel-20050501 06.06.2005 Worm.Mytob.CO DrWeb 4.32b 06.06.2005 Win32.HLLM.MyDoom.44 eTrust-Iris 7.1.194.0 06.05.2005 no virus found eTrust-Vet 11.9.1.0 06.06.2005 no virus found Fortinet 2.27.0.0 06.06.2005 W32/MyTob.EN-mm Ikarus 2.32 06.06.2005 no virus found Kaspersky 4.0.2.24 06.06.2005 Net-Worm.Win32.Mytob.bg McAfee 4507 06.06.2005 Generic Malware.a!zip NOD32v2 1.1131 06.06.2005 Win32/Mytob.DO Norman 5.70.10 06.06.2005 W32/Mytob.GE Panda 8.02.00 06.06.2005 no virus found Sybari 7.5.1314 06.06.2005 W32/Mytob.G Symantec 8.0 06.06.2005 no virus found TheHacker 5.8-3.0 06.06.2005 no virus found VBA32 3.10.3 06.06.2005 Net-Worm.Win32.Mytob.bg VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware. Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Monday, June 06, 2005 2:29 PMTo: sniffer@SortMonster.comCc: Declude.Virus@declude.comSubject: Re: [sniffer] New Spam/Virus? Yes I have seen them too: email starts with: Dear Valued Member, According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons. - Original Message - From: Jim Matuska To: sniffer@SortMonster.com Sent: Monday, June 06, 2005 4:13 PM Subject: [sniffer] New Spam/Virus? Is anyone else seeing a huge rash of spam/virus messages in the last hour or so? I have multiple users that are getting messages that are forging our own addresses and have a link that appears to go to our website but instead goes elsewhere with a IP address link. These do not appear to be infecting as file attachments but from the web link itself. Pete, I have forwarded a few to your spam@ address, let me know what you think. Jim Matuska Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED]
Re: [sniffer] New Spam/Virus?
Was this the ip? 209.67.220.164 This is the only address I have seen - -Nick Scott Fisher wrote: Yes I have seen them too: email starts with: Dear Valued Member, According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons. - Original Message - From: Jim Matuska To: sniffer@SortMonster.com Sent: Monday, June 06, 2005 4:13 PM Subject: [sniffer] New Spam/Virus? Is anyone else seeing a huge rash of spam/virus messages in the last hour or so? I have multiple users that are getting messages that are forging our own addresses and have a link that appears to go to our website but instead goes elsewhere with a IP address link. These do not appear to be infecting as file attachments but from the web link itself. Pete, I have forwarded a few to your spam@ address, let me know what you think. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED]
Re: [sniffer] New Spam/Virus?
That's the one I am seeing too. Jim Matuska Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED] - Original Message - From: Nick Hayer To: sniffer@SortMonster.com Sent: Monday, June 06, 2005 2:42 PM Subject: Re: [sniffer] New Spam/Virus? Was this the ip? 209.67.220.164 This is the only address I have seen - -Nick Scott Fisher wrote: Yes I have seen them too: email starts with: Dear Valued Member, According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons. - Original Message - From: Jim Matuska To: sniffer@SortMonster.com Sent: Monday, June 06, 2005 4:13 PM Subject: [sniffer] New Spam/Virus? Is anyone else seeing a huge rash of spam/virus messages in the last hour or so? I have multiple users that are getting messages that are forging our own addresses and have a link that appears to go to our website but instead goes elsewhere with a IP address link. These do not appear to be infecting as file attachments but from the web link itself. Pete, I have forwarded a few to your spam@ address, let me know what you think. Jim Matuska Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED]
RE: [sniffer] New Spam/Virus?
Same exact IP here! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick HayerSent: Monday, June 06, 2005 5:42 PMTo: sniffer@SortMonster.comSubject: Re: [sniffer] New Spam/Virus? Was this the ip? 209.67.220.164 This is the only address I have seen - -Nick Scott Fisher wrote: Yes I have seen them too: email starts with: Dear Valued Member, According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons. - Original Message - From: Jim Matuska To: sniffer@SortMonster.com Sent: Monday, June 06, 2005 4:13 PM Subject: [sniffer] New Spam/Virus? Is anyone else seeing a huge rash of spam/virus messages in the last hour or so? I have multiple users that are getting messages that are forging our own addresses and have a link that appears to go to our website but instead goes elsewhere with a IP address link. These do not appear to be infecting as file attachments but from the web link itself. Pete, I have forwarded a few to your spam@ address, let me know what you think. Jim Matuska Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED]
Re: [sniffer] New Spam/Virus?
FYI, This virus appears to be using multiple forms of infection. One seems to link to the IP where you are prompted to run/download the infected program and the others have infected attachments in the E-mail itself. Based on reviewing my logs and spam capture file, it appears that initially they were all mass mailed from 66.251.60.35 including the linked IP in the body that everyone was seeing. Then when I stopped seeing these in my Hold/review range about 2 hours ago, I started seeing E-mails come in with attachments that were being blocked by at least McAfee. I'm thinking that 66.251.60.35 was being used to seed the virus using a link to the payload and now the infected computers from this seeding run are sending the actual virus out as an attachment. Matt Pete McNeil wrote: New rule - 369676 under Malware. New experimental rule on message structure: 369677 _M On Monday, June 6, 2005, 6:13:23 PM, Dave wrote: DM New target ip: 205.138.199.146 DM -Original Message- DM From: [EMAIL PROTECTED] DM [mailto:[EMAIL PROTECTED]] On Behalf Of Jim Matuska DM Sent: Monday, June 06, 2005 3:01 PM DM To: sniffer@SortMonster.com DM Subject: Re: Re[2]: [sniffer] New Spam/Virus? DM Thanks Pete, DM What Return code will this be under? DM Jim Matuska Jr. DM Computer Tech2, CCNA DM Nez Perce Tribe DM Information Systems DM [EMAIL PROTECTED] DM - Original Message - DM From: "Pete McNeil" [EMAIL PROTECTED] DM To: "Dave Koontz" sniffer@SortMonster.com DM Sent: Monday, June 06, 2005 3:00 PM DM Subject: Re[2]: [sniffer] New Spam/Virus? On Monday, June 6, 2005, 5:50:38 PM, Dave wrote: DK Same exact IP here! We've got a couple of rules for this now -- making the rounds as new compiles go out. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html DM This E-Mail came from the Message Sniffer mailing list. For information DM and (un)subscription instructions go to DM http://www.sortmonster.com/MessageSniffer/Help/Help.html DM This E-Mail came from the Message Sniffer mailing list. For DM information and (un)subscription instructions go to DM http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
RE: [sniffer] New Spam/Virus?
Title: Message http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FMYTOB%2EDV http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED] This is the virus that I was seeing. The one that Jim and others are seeing may be this MyTob, whose description was still pending when I was at Trend's site: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FMYTOB%2EDW and may be the same as: http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED] Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Monday, June 06, 2005 2:41 PMTo: sniffer@SortMonster.comSubject: RE: [sniffer] New Spam/Virus? I'm seeing what Scott sees, but the payload is an encrypted zip. VirusTotal.com says: This is a report processed by VirusTotal on 06/06/2005 at 23:40:17 (CET) after scanning the file "DBB05F6330082B871.SMD" file. Antivirus Version Update Result AntiVir 6.30.0.15 06.06.2005 no virus found AVG 718 06.06.2005 no virus found Avira 6.30.0.15 06.06.2005 no virus found BitDefender 7.0 06.06.2005 no virus found ClamAV devel-20050501 06.06.2005 Worm.Mytob.CO DrWeb 4.32b 06.06.2005 Win32.HLLM.MyDoom.44 eTrust-Iris 7.1.194.0 06.05.2005 no virus found eTrust-Vet 11.9.1.0 06.06.2005 no virus found Fortinet 2.27.0.0 06.06.2005 W32/MyTob.EN-mm Ikarus 2.32 06.06.2005 no virus found Kaspersky 4.0.2.24 06.06.2005 Net-Worm.Win32.Mytob.bg McAfee 4507 06.06.2005 Generic Malware.a!zip NOD32v2 1.1131 06.06.2005 Win32/Mytob.DO Norman 5.70.10 06.06.2005 W32/Mytob.GE Panda 8.02.00 06.06.2005 no virus found Sybari 7.5.1314 06.06.2005 W32/Mytob.G Symantec 8.0 06.06.2005 no virus found TheHacker 5.8-3.0 06.06.2005 no virus found VBA32 3.10.3 06.06.2005 Net-Worm.Win32.Mytob.bg VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware. Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Monday, June 06, 2005 2:29 PMTo: sniffer@SortMonster.comCc: Declude.Virus@declude.comSubject: Re: [sniffer] New Spam/Virus? Yes I have seen them too: email starts with: Dear Valued Member, According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons. - Original Message - From: Jim Matuska To: sniffer@SortMonster.com Sent: Monday, June 06, 2005 4:13 PM Subject: [sniffer] New Spam/Virus? Is anyone else seeing a huge rash of spam/virus messages in the last hour or so? I have multiple users that are getting messages that are forging our own addresses and have a link that appears to go to our website but instead goes elsewhere with a IP address link. These do not appear to be infecting as file attachments but from the web link itself. Pete, I have forwarded a few to your spam@ address, let me know what you think. Jim Matuska Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED]
