I received one today. the email had NAV32.zip and in the zip file was NAV32.exe
it was NOT detected as a virus by EITHER F-Prot or AVG it was however cought as spam by CBL, FIVETEN-SPAM, SPAMCOP the header of the email was Received: from c-67-164-195-92.client.comcast.net [67.164.195.92] by phcc.org (SMTPD32-8.03) id AE4F17E00F8; Tue, 07 Oct 2003 07:06:55 -0400 Message-ID: <[EMAIL PROTECTED]> Date: Tue, 7 Oct 2003 04:10:24 -0700 From: <[EMAIL PROTECTED]> Subject: ** 22. CBL, FIVETEN-SPAM, SPAMCOP, WEIGHT-F, WEIGHT20, WEIGHT202 ** Last Update. To: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------9D16FAF1684605E" X-RBL-Warning: CBL: Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=67.164.195.92 X-RBL-Warning: FIVETEN-SPAM: 92.195.164.67.blackholes.five-ten-sg.com. X-RBL-Warning: SPAMCOP: Blocked - see http://www.spamcop.net/bl.shtml?67.164.195.92 X-Declude-Sender: [EMAIL PROTECTED] [67.164.195.92] X-Declude-Spoolname: D9e4f017e00f890ba.SMD X-In-Date: 10/07/2003 Time: 07:07:23 -0500 ET. X-Country-Chain: UNITED STATES->destination X-In-Note: This E-mail was comming into phcc.org Declude ver.1.76i5. X-In-Spam-Tests-Failed: CBL, FIVETEN-SPAM, SPAMCOP, WEIGHT-F, WEIGHT20, WEIGHT202 Total Weight= 22 x-In-Organization: DcMetroNet.com is the ISP for phcc.org X-In-Abuse: Please send abuse reports to [EMAIL PROTECTED] X-In-Note: This E-mail was sent from ([EMAIL PROTECTED]) c-67-164-195-92.client.comcast.net ([67.164.195.92]). X-In-Recips: [EMAIL PROTECTED] really [EMAIL PROTECTED] X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 349908174 Sincerely, William J. Baumbach II [EMAIL PROTECTED] 9975 Pennsylvania Ave. Manassas, Va. 20110-2028 Ph: 703-367-7900 ext:1708 Fax: 703-691-0946 ------------------------------------------------------------- ----- Original Message ----- From: "Bill Naber" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, October 07, 2003 7:55 AM Subject: [Declude.Virus] W32_Webb_Worm Policy - Is this a new hoax I just received an Email from "[EMAIL PROTECTED]" with the subject "Last Update.". The message warns of the [EMAIL PROTECTED] worm, but a search on the Symantec site shows nothing of the kind. The message has a Nav32.zip attachment that doesn't fail on either F-Prot or NAV. The message appears to have originated via an ameritech.net dsl connection and it has some grammatical errors, so I'm not doubting that it is bogus. I've only received one of these messages, but I am curious if I'm on the leading edge or if this is a very random incident. In the short run, I've put in a filter on messages from [EMAIL PROTECTED], but I'm concerned that it will use other return addresses. I've included the text from the message body and the headers below. Thanks, -Bill Naber Kitchin Hospitality, LLC =============================== Message Body ============================================ October 06, 2003 Intruder Alert 4.1 W32_Webb_Worm Policy This policy detects the propagation of the W32.SobigF.Worm through changes in the registry. [EMAIL PROTECTED] is a mass-mailing, network-aware worm that sends itself to all the email addresses it finds in various files. The worm uses its own SMTP engine to propagate and attempts to create a copy of itself on accessible network shares, but fails due to bugs in the code. In attachment you can find program that update your Norton Antivirus to Norton Antivirus 2004. ================================ Message Header ========================================== Received: from horace.mail.atl.earthlink.net [207.69.200.41] by mail.jamesoninns.com with ESMTP (SMTPD32-7.15) id A328716014C; Tue, 07 Oct 2003 07:27:36 -0400 Received: from samuel.mail.atl.earthlink.net ([207.69.200.65]) by horace.mail.atl.earthlink.net with smtp (Exim 3.33 #1) id 1A6q0J-0005vx-00 for [EMAIL PROTECTED]; Tue, 07 Oct 2003 07:27:47 -0400 X-MindSpring-Loop: [EMAIL PROTECTED] Received: from adsl-68-77-24-119.dsl.emhril.ameritech.net ([68.77.24.119]) by samuel.mail.atl.earthlink.net (Earthlink Mail Service) with SMTP id 1a6Q0f2aB3Nl3pv0 for <[EMAIL PROTECTED]>; Tue, 7 Oct 2003 07:27:42 -0400 (EDT) Message-ID: <[EMAIL PROTECTED]> Date: Tue, 7 Oct 2003 04:32:14 -0700 From: <[EMAIL PROTECTED]> Subject: Last Update. To: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------9D16FAF1684605E" X-CYBERsitter-SpamManager-In: Passed - Adult: 0 (Req: 50) Spam: 12 (Req: 18) Tot: 10 (Req: 20) X-CYBERsitter-SpoolFile: Da3280716014c8c2a.SMD X-Declude-Sender: [EMAIL PROTECTED] [207.69.200.41] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: None X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 324037781 =================================== End =========================================== --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. [ scanned for spam to: [EMAIL PROTECTED] incoming http://www.DcMetroNet.com on 10/07/2003 at 08:16:20-0500et. ] [ scanned for viruses to: [EMAIL PROTECTED] incoming http://www.DcMetroNet.com on 10/07/2003 at 08:16:22-0500et. ] [ scanned for spam to: [EMAIL PROTECTED] outgoing http://www.DcMetroNet.com on 10/07/2003 at 11:42:07-0500et. ] This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution of this email is prohibited. If you are not the intended recipient, please contact the sender and destroy all paper and electronic copies of this message. [ scanned for viruses to: [EMAIL PROTECTED] outgoing http://www.DcMetroNet.com on 10/07/2003 at 11:42:10-0500et. ] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
