It's a new one not KLEZ ...
-----BEGIN PGP SIGNED MESSAGE-----
A number of people have received email from contacts at other sites
with the subject line "Your Password!"
This is a new email-based worm that hit many European High Energy
Physics sites earlier today and is now affecting sites in the US.
The anti-virus companies have updates available soon, but in the
meantime the SLAC email gateway has stripped on the order of 600
infected email attachments destined to SLAC users. At this time, we
have no reports of infection within SLAC and we should remain safe
even from those who infect their own machines by reading email from
non-SLAC sources (home insititutions, Yahoo, Hotmail, etc.) and then
executing the "Decrypt-password.exe" file.
Here is a quote from the CIAC "Heads-Up" on this latest worm ...
There are reports this morning of DOE sites being hit
by the W32/Frethem.K@mm worm. The worm uses its own
SMTP engine to send itself to email addresses that it
finds in the Microsoft Windows Address Book and in .dbx,
.wab, .mbx, .eml, and .mdb files. The email message
arrives with the following characteristics:
Subject: Re: Your Password!
Attachments: Decrypt-password.exe and Password.txt
Size of attachment: 48,640 bytes
The affected systems are Windows 95, Windows 98,
Windows NT, Windows 2000, Windows XP, and Windows ME.
The worm exploits the "Incorrect MIME Header Can Cause
IE to Execute E-mail Attachment" vulnerability (CIAC
Bulletin L-066) in Microsoft Internet Explorer
(version 5.01 or 5.5 without SP2).
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4
iQCVAwUBPTMKjF1NwfDT0XdRAQGAMQP/YXjQ8xz4XnRk02OYyrGKzDSQEaIOBm/Y
H19u0QJ9t68UH8bpOf3uGtZFNV4koieizW2d39/Eiyl/HKzuPa7tkjR+QE/CFvjX
RMg2XkYwbL1fuNyVDqjbPP400G/rYPAHnOjWEtUtXjPKrZnKT+IbPJUTQHjPGkJR
jEa9o/Sejws=
=vrs9
-----END PGP SIGNATURE-----
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 15, 2002 9:08 AM
To: Multiple recipients of list ORACLE-L
Bunyamin,
Did you pick up a copy of worm_klez somewhere?
Dick Goulet
____________________Reply Separator____________________
Author: [EMAIL PROTECTED]
Date: 7/15/2002 6:53 AM
<HTML><HEAD></HEAD><BODY>
<FONT COLOR˙F0000>
<b>ATTENTION!</b><br><br>
You can access<br>
<b>very important</b><br>
information by<br>
this password<br><br>
<b>DO NOT SAVE</b><br>
password to disk<br>
use your mind<br><br>
now press<br>
<b>cancel</b><br><br>
(Bunyamin Karadeniz)</font></BODY></HTML>
<iframe src=cid:W8dqwq8q918213 height=0 width=0></iframe>
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author:
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: MacGregor, Ian A.
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
