[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] New MyDoom or Netsky variant?

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] New MyDoom or Netsky variant?
From: Niek Baakman <niekbaakman@xxxxxxx>
Date: Tue, 20 Jul 2004 00:50:55 +0200

Vic Vandal wrote:

Anyone seeing what looks like a brand new MyDoom variant?
Comes in e-mail as a message.zip, extracts to a message.doc
followed by a LOT of spaces and then a .pif extension.
I've only started to look at the encoded attachment, but
someone who opened it had a LSASS.EXE start up and take
about 96% CPU utilization.  I scanned the offending Outlook
attachment with the latest Symantec sigs, but it didn't recognize
it.  The .pif appears to be packed with UPX.


Don't use symantec for fast updates.
They only update liveupdate 1-2 per week.
If you want updates more often, you have grab their intelligent updater
manually (1 per day), or grab their beta updates (also manually).

Only if they regard the virus to be a serious threat, they offer an
immediate liveupdate. For something as mail protection, they are too slow.
Then again, you don't use symantec products on a mail server.

Regards,

Niek Baakman

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] New MyDoom or Netsky variant?
  - From: Bart . Lansing

References:
- [Full-Disclosure] New MyDoom or Netsky variant?
  - From: Vic Vandal

Prev by Date: Re: [Full-Disclosure] IE
Next by Date: RE: [Full-Disclosure] SNMP Broadcasts
Previous by thread: Re: [Full-Disclosure] New MyDoom or Netsky variant?
Next by thread: Re: [Full-Disclosure] New MyDoom or Netsky variant?
Index(es):
- Date
- Thread