I just received an e-mail with this virus/worm. It appears to be not very
nice. I use the preview pane in Outlook and it automatically attempted to
launch the attachment. For once, I'm glad I had the new security features
in Outlook SR-1 that does not allow launching an .exe w/out saving it to the
hard drive first.
The virus had a subject with 255 characters in it. Methinks there was/is an
exploit for subject lines that long.
Subject:
dbaseconfigatssubsatssubdbase415cachedbdupsmillarddupsdbinfodatacollectcrapo
mahaconfig280713busesdupsdbase15adduser4dbase15omaha2baseyearplainviewdbinfo
dbsetupnasdatacrapplainviewomaha3genericadduser4westsidedbsetupdblinkexpdbci
nitdbasedbaseivmillardomaha
>From what Symantec and McAfee say, this isn't the worst virus ever, but it's
not very nice, either. Worst part, I guess is that it propogates by
e-mailing itself out to everybody. It then scans for IIS servers that are
not patched for the CodeBlue/Unicode exploit.
http://vil.mcafee.com/dispVirus.asp?virus_k=99209&;
AVERT is currently analyzing this threat and will post more details shortly.
This is a mass-mailing worm, which also spreads via open shares, and a
Microsoft Web Folder Transversal vulnerability.
The email attachment name seems to be limited to Readme.exe and uses the
icon for an Internet Explorer HTML document.
The virus contains the string : Concept Virus (CV) V.5, Copyright (C) 2001
R.P.China
http:[EMAIL PROTECTED]
Until they come up with a patch, block all file attachments named
"readme.exe".
I'm sure we'll be seeing a lot more of this in the coming days.
Steve
-----Original Message-----
From: Etts, Russell [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 2:51 PM
To: Exchange Discussions
Subject: RE: New Virus / Worm ??
Does anyone have any more info on this??
Does NAI have an update? I can't get through to them.
Thanks
Russell
-----Original Message-----
From: John Bricher [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 12:33 PM
To: Exchange Discussions
Subject: RE: New Virus / Worm ??
On the servers that were infected at our company, we found a mmc.exe that
was running in c:\winnt. This appeared to be regenerating the readme.eml
files. We killed the process, deleted the file, and deleted the .eml files.
This appears to have worked for now.
Not sure how to stop it from happening again.
John Bricher
Windows NT Engineer
Cybear, Inc.
561-999-3549
[EMAIL PROTECTED]
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
