Title: Message
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FMYTOB%2EDV
http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED]
This
is the virus that I was seeing. The one that Jim and others are seeing may
be this MyTob, whose description was sti
FYI,
This virus appears to be using multiple forms of infection. One seems
to link to the IP where you are prompted to run/download the infected
program and the others have infected attachments in the E-mail itself.
Based on reviewing my logs and spam capture file, it appears that
initially
Thanks Pete.
John
-
John W. Enyart
EAI, Inc.
3259 Blackberry Lane
Malvern, PA 19355-9670
610/935/3085 FAX 610.935.3086
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Pete McNeil
Sent: Monday, June 06, 2005 6:22 PM
To: Jim Matuska
Subj
New rule - 369676 under Malware.
New experimental rule on message structure: 369677
_M
On Monday, June 6, 2005, 6:13:23 PM, Dave wrote:
DM> New target ip: 205.138.199.146
DM> -Original Message-
DM> From: [EMAIL PROTECTED]
DM> [mailto:[EMAIL PROTECTED] On Behalf Of Jim Matuska
DM> Sent
One rule (369660) will code to 53 (scams).
Another (369650) will code to 53 (scams).
Another (369634) also codes to 53 (scams).
The rules got the scam tag because it presents like a phishing scam.
I'll be watching for evidence of additional polymorphism and we will
adapt. Now that we know this
New target ip: 205.138.199.146
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jim Matuska
Sent: Monday, June 06, 2005 3:01 PM
To: sniffer@SortMonster.com
Subject: Re: Re[2]: [sniffer] New Spam/Virus?
Thanks Pete,
What Return code will this be under?
J
Thanks Pete,
What Return code will this be under?
Jim Matuska Jr.
Computer Tech2, CCNA
Nez Perce Tribe
Information Systems
[EMAIL PROTECTED]
- Original Message -
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Dave Koontz"
Sent: Monday, June 06, 2005 3:00 PM
Subject: Re[2]: [sniffer] New
On Monday, June 6, 2005, 5:50:38 PM, Dave wrote:
DK> Same exact IP here!
We've got a couple of rules for this now -- making the rounds as new
compiles go out.
_M
This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortm
Same exact IP
here!
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nick
HayerSent: Monday, June 06, 2005 5:42 PMTo:
sniffer@SortMonster.comSubject: Re: [sniffer] New
Spam/Virus?
Was this the ip?
209.67.220.164
This is the only address I have seen -
-Nick
Scott Fisher w
That's the one I am seeing too.
Jim Matuska Jr.Computer Tech2, CCNANez
Perce TribeInformation Systems[EMAIL PROTECTED]
- Original Message -
From:
Nick
Hayer
To: sniffer@SortMonster.com
Sent: Monday, June 06, 2005 2:42 PM
Subject: Re: [sniffer] New
Spam/Virus?
Title: Message
Interesting, we began seeing something similar a few hours ago, which had
a faked link to our doamin that actually went to an IP based Web Site.
When attempting to access, I was given a prompt to download
"CONFIRM.COM".
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On B
Was this the ip?
209.67.220.164
This is the only address I have seen -
-Nick
Scott Fisher wrote:
Yes I have seen them too:
email starts with:
Dear Valued Member,
According to our site policy you will have to confirm your
account by the following link or else y
Title: Message
I'm
seeing what Scott sees, but the payload is an encrypted zip.
VirusTotal.com says:
This is a report
processed by VirusTotal on 06/06/2005 at 23:40:17 (CET) after scanning the file "DBB05F6330082B871.SMD" file.
Antivirus
Version
Update
Result
Yes I have seen them too:
email starts with:
Dear Valued Member, According to our site policy
you will have to confirm your account by the following link or else your account
will be suspended within 24 hours for security reasons.
- Original Message -
From:
Jim Matuska
On Monday, June 6, 2005, 5:13:19 PM, Jim wrote:
JM> Is anyone else seeing a huge rash of spam/virus messages in
JM> the last hour or so? I have multiple users that are getting
JM> messages that are forging our own addresses and have a link that
JM> appears to go to our website but instead goes
Is anyone else seeing a huge rash of spam/virus
messages in the last hour or so? I have multiple users that are getting
messages that are forging our own addresses and have a link that appears to go
to our website but instead goes elsewhere with a IP address link. These do
not appear to be
16 matches
Mail list logo