[uug] W32.HLLW.Mankx@mm worm variant(s)

[Jacob Fugal]

(OT-WARNING: Post not at all related to anything normally discussed by 
the UUG, but I though it might be helpful to get this info out onto the 
list.)

Over the past couple of days and this morning in particular I've 
received several emails, most from [EMAIL PROTECTED] addresses with titles such 
as "Re: Movie" and "Re: Application". The bodies invariably say 
something such as (not verbatim, I'm going off memory) "Please see the 
attached file" and a 'pif' file (eg. movie.pif or application.pif) is 
attached.

I obviously ID-ed the messages as probability 95% virus and ignored the 
first few. But with four such emails today I decided to actually find 
out in order to give information to the afflicted. It appears very 
similar to be the [EMAIL PROTECTED] worm, but differs in some aspects. 
The most informative site I've been able to find was at the University 
of Virginia Information Technology and Communication webpage. The 
following two links in particular:

Alert/Description: 
http://www.itc.virginia.edu/desktop/virus/results.php3?virusID=63
Fix Details: 
http://www.itc.virginia.edu/desktop/virus/fixes.php3?fixID=73&virusID=63

However, the description of [EMAIL PROTECTED] claims that the worm is 
active only through May 31 and that it spoofs a sending address of 
'[EMAIL PROTECTED]'. I have received four seperate emails today 
(June 2) with normal addresses (they may still be spoofed, I'm not sure 
exactly what to look for in the headers to detect that) but otherwise 
matching the [EMAIL PROTECTED] description. Hopefully the above fix will 
work for the variant(s) as well.

Jacob Fugal

____________________
BYU Unix Users Group 
http://uug.byu.edu/ 
___________________________________________________________________
List Info: http://uug.byu.edu/cgi-bin/mailman/listinfo/uug-list