On Monday, June 6, 2005, 5:13:19 PM, Jim wrote:
JM Is anyone else seeing a huge rash of spam/virus messages in
JM the last hour or so? I have multiple users that are getting
JM messages that are forging our own addresses and have a link that
JM appears to go to our website but instead goes
Title: Message
I'm
seeing what Scott sees, but the payload is an encrypted zip.
VirusTotal.com says:
This is a report
processed by VirusTotal on 06/06/2005 at 23:40:17 (CET) after scanning the file "DBB05F6330082B871.SMD" file.
Antivirus
Version
Update
Result
Was this the ip?
209.67.220.164
This is the only address I have seen -
-Nick
Scott Fisher wrote:
Yes I have seen them too:
email starts with:
Dear Valued Member,
According to our site policy you will have to confirm your
account by the following link or else
That's the one I am seeing too.
Jim Matuska Jr.Computer Tech2, CCNANez
Perce TribeInformation Systems[EMAIL PROTECTED]
- Original Message -
From:
Nick
Hayer
To: sniffer@SortMonster.com
Sent: Monday, June 06, 2005 2:42 PM
Subject: Re: [sniffer] New
Spam/Virus?
Same exact IP
here!
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nick
HayerSent: Monday, June 06, 2005 5:42 PMTo:
sniffer@SortMonster.comSubject: Re: [sniffer] New
Spam/Virus?
Was this the ip?
209.67.220.164
This is the only address I have seen -
-Nick
Scott Fisher
On Monday, June 6, 2005, 5:50:38 PM, Dave wrote:
DK Same exact IP here!
We've got a couple of rules for this now -- making the rounds as new
compiles go out.
_M
This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
Thanks Pete,
What Return code will this be under?
Jim Matuska Jr.
Computer Tech2, CCNA
Nez Perce Tribe
Information Systems
[EMAIL PROTECTED]
- Original Message -
From: Pete McNeil [EMAIL PROTECTED]
To: Dave Koontz sniffer@SortMonster.com
Sent: Monday, June 06, 2005 3:00 PM
Subject:
New target ip: 205.138.199.146
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jim Matuska
Sent: Monday, June 06, 2005 3:01 PM
To: sniffer@SortMonster.com
Subject: Re: Re[2]: [sniffer] New Spam/Virus?
Thanks Pete,
What Return code will this be under?
One rule (369660) will code to 53 (scams).
Another (369650) will code to 53 (scams).
Another (369634) also codes to 53 (scams).
The rules got the scam tag because it presents like a phishing scam.
I'll be watching for evidence of additional polymorphism and we will
adapt. Now that we know this
New rule - 369676 under Malware.
New experimental rule on message structure: 369677
_M
On Monday, June 6, 2005, 6:13:23 PM, Dave wrote:
DM New target ip: 205.138.199.146
DM -Original Message-
DM From: [EMAIL PROTECTED]
DM [mailto:[EMAIL PROTECTED] On Behalf Of Jim Matuska
DM Sent:
FYI,
This virus appears to be using multiple forms of infection. One seems
to link to the IP where you are prompted to run/download the infected
program and the others have infected attachments in the E-mail itself.
Based on reviewing my logs and spam capture file, it appears that
initially
Title: Message
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FMYTOB%2EDV
http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED]
This
is the virus that I was seeing. The one that Jim and others are seeing may
be this MyTob, whose description was
12 matches
Mail list logo
