Thanks for the clarification. John Tolmachoff Engineer/Consultant/Owner eServices For You
> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of Dave Doherty > Sent: Wednesday, November 10, 2004 2:17 PM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.JunkMail] New virus with unusual deployment > > Thanks, Andrew- > > That is exactly why I gave this wider dissemination than I normally would > do. The email is completely innocuous, nothing to detect, except for the > link, which I believe will change as to IP address and port as this > progresses. > > -d > > > > ----- Original Message ----- > From: "Colbeck, Andrew" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, November 10, 2004 10:44 AM > Subject: RE: [Declude.JunkMail] New virus with unusual deployment > > > > For what it's worth, I don't have the Declude Virus product. The Declude > > Virus product may catch the IFRAME technique in HTML, but you won't see > > this > > technique in HTML, which is why Dave probably thought it was a useful > > heads-up in the antispam forum. > > > > I can add to Dave's description: > > > > Trend Micro was detecting both variants early, and calls them MYDOOM.AG > > and > > MYDOOM.AH; I've only seen the .AH variety, and less than 20 of those. I > > think we'll be seeing more of this technique, but perhaps not these > > particular variants. > > > > Both of these viruses can be caught with a BODY text filter, but all you > > see > > is a URL. You can check the links Dave wrote up for details of the virus > > message text and fake headers, but I'll note that each variant uses a link > > like this (remove the spaces): > > > > h t t p : / / [ip address] : 1639 / [filename] > > h t t p : / / [ip address] : 1640 / [filename] > > > > Because it uses a predictable port on which to contact an existing trojan > > infectee, I coded the colon + port number plus slash with a moderate > > weight > > (minus the spaces). I haven't correlated the REMOTEIP with the IP address > > in the URL. > > > > You can readily see that the next flavour could easily use port 80 or 443 > > to > > evade content filtering, or it could track a random port and filename, > > seeing as how it must already be storing addresses, it could easily be > > storing ports and filenames too. > > > > Dave also mentioned that you should keep your Windows up to date. Only > > the > > Internet Explorer in Windows XP SP2 is not vulnerable to this. Even > > Windows > > Server 2003 is vulnerable. Microsoft didn't patch this hole yesterday, > > which was "Microsoft Patch Day". > > > > Andrew 8) > > > > -----Original Message----- > > From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, November 10, 2004 12:34 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [Declude.JunkMail] New virus with unusual deployment > > > > > > Doesn't the newer versions of Declude Virus catch the IFRAME > > vulnerability? > > > > Isn't this a post for the virus list? > > > > John Tolmachoff > > Engineer/Consultant/Owner > > eServices For You > > > > > >> -----Original Message----- > >> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > >> [EMAIL PROTECTED] On Behalf Of Dave Doherty > >> Sent: Tuesday, November 09, 2004 9:36 PM > >> To: Undisclosed-Recipient:; > >> Subject: [Declude.JunkMail] New virus with unusual deployment > >> > >> Hi, all - > >> > >> "Heads up!" > >> > >> There is a new variant of the MyDoom virus that does not work in the > >> usual way. > >> > >> Previous MyDoom virii have attached the virus payload to an email > >> message. The new variants (AH and AI, so far) simply include links to > >> infected machines. The links exploit the Internet Explorer IFRAME > >> vulnerability and then worm their way into address books, install SMTP > >> servers and > > self-start > >> registry entries, and generally make nuisances of themselves by > >> sending emails to your contacts encouraging them to click links back > >> to your machines. > >> > >> Since the email does not contain the payload, the virus cannot be > >> caught > > at > >> the email level. Therefore, be especially careful that your firewalls > >> and antivirus programs have the definitions for the new variants and > >> that all machines on your systems have the very latest patches from > >> http://windowsupdate.microsoft.com. > >> > >> As of this writing, Symantec has published defintions for the AH and > >> AI variants. McAfee has published only the AH variant. Fortinet and > >> Sophos > > have > >> published these variants under the name bofra-a and bofra-b > >> > >> More info is at > >> > >> http://www.integratedmar.com/connectit/stories/1319.cfm > >> http://www.sarc.com/avcenter/venc/data/[EMAIL PROTECTED] > >> http://www.sarc.com/avcenter/venc/data/[EMAIL PROTECTED] > >> http://www.sophos.com/virusinfo/analyses/w32bofrab.html > >> > >> -Dave Doherty > >> Dataworld, Inc. > >> Skywaves, Inc. > >> > >> > >> --- > >> [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > >> > >> --- > >> This E-mail came from the Declude.JunkMail mailing list. To > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > >> "unsubscribe Declude.JunkMail". The archives can be found at > >> http://www.mail-archive.com. > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, > > just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe > > Declude.JunkMail". The archives can be found at > > http://www.mail-archive.com. > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
