-Caveat Lector-
------- Start of forwarded message -------
From: [EMAIL PROTECTED]
To: "VirusEye Subscriber" <[EMAIL PROTECTED]>
Subject: Fwd: WARNING: New Troj/Maz.C Trojan
Date: 11/21/02 9:31:14 AM
The details of the new trojan variant are as follows:
Trojan name: Troj/Maz.C
Aliases: Downloader-BO.dr
Number of copies seen so far: 5
Time & Date first Captured: 19 Nov 2002, 14:37 GMT
Origin of first intercepted copy: USA
Number of countries seen active: 2
Most active countries: USA, UK
Technical Details
The new Troj/Maz.C variant has been e-mailed to a number of users. From the copies that
we have seen, the message appears as follows:
From: MAILER-DAEMON@(recipient domain)
Subject: FAILED DELIVERY
Body :
Unfortunately, it was not possible to deliver one or more of your
messages. For more information, please, take a look in the
attachment.
Attachment: mail.hta
Behaviour
In copies that we have intercepted the attachment displays an HTML advert, but
contains a
Visual Basic script that drops a variant of the Downloader-BO (a.k.a. Inor) component,
which subsequently attempts to download and install the Backdoor-AML (a.k.a. Jeem)
component from a website, hosted at:
wind.prohosting.com/jimkre
The Backdoor-AML component opens three TCP ports that may be used to access the
compromised machine remotely, 6079, 5262 and 4668. The 4668 port may subsequently
be used as SMTP relays to further distribute the e-mail component to other recipients.
Comment
It is recommended that customers should ensure that they have configured their firewall
software to block any incoming TCP traffic on these ports.
Further details on the Troj/Maz.A and Troj/Maz.B trojan may be found on the MessageLabs
website at:
http://www.messagelabs.com/viewNewsPR.asp?id=109&cmd=PR
If you have any questions, please contact the MessageLabs Help Desk, or your Customer
Services Executive.
This email was sent to you because you subscribe to MessageLabs' Virus Alert service.
You
can cancel your subscription on the MessageLabs website at
http://www.messagelabs.com/AlertUnsubscribe
MessageLabs is a leading provider of Internet-level managed email security services.
Through its SkyScan portfolio of services, MessageLabs customers are protected from
email-borne threats such as viruses, unsolicited mail and pornographic material, before
such content comes anywhere near their network boundaries.
________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs SkyScan
service. For more information on a proactive anti-virus service working
around the clock, around the globe, visit http://www.messagelabs.com
________________________________________________________________________
-------- End of forwarded message --------
From
~~~~~~~~~~~~~~~
A<>E<>R
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Forwarded as information only; I don't believe everything I read or send
(but that doesn't stop me from considering it; obviously SOMEBODY thinks it's
important)
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
In accordance with Title 17 U.S.C. section 107, this material is distributed without
charge or
profit to those who have expressed a prior interest in receiving this type of
information for
non-profit research and educational purposes only.
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
"Always do sober what you said you'd do drunk. That will teach you to keep your mouth
shut."
--- Ernest Hemingway
<A HREF="http://www.ctrl.org/";>www.ctrl.org</A>
DECLARATION & DISCLAIMER
==========
CTRL is a discussion & informational exchange list. Proselytizing propagandic
screeds are unwelcomed. Substance�not soap-boxing�please! These are
sordid matters and 'conspiracy theory'�with its many half-truths, mis-
directions and outright frauds�is used politically by different groups with
major and minor effects spread throughout the spectrum of time and thought.
That being said, CTRLgives no endorsement to the validity of posts, and
always suggests to readers; be wary of what you read. CTRL gives no
credence to Holocaust denial and nazi's need not apply.
Let us please be civil and as always, Caveat Lector.
========================================================================
Archives Available at:
http://peach.ease.lsoft.com/archives/ctrl.html
<A HREF="http://peach.ease.lsoft.com/archives/ctrl.html";>Archives of
[EMAIL PROTECTED]</A>
http:[EMAIL PROTECTED]/
<A HREF="http:[EMAIL PROTECTED]/";>ctrl</A>
========================================================================
To subscribe to Conspiracy Theory Research List[CTRL] send email:
SUBSCRIBE CTRL [to:] [EMAIL PROTECTED]
To UNsubscribe to Conspiracy Theory Research List[CTRL] send email:
SIGNOFF CTRL [to:] [EMAIL PROTECTED]
Om
