[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ok] [Full-Disclosure] Possible Virus/Trojan

To: Todd Towles <toddtowles@xxxxxxxxxxxxxxx>
Subject: Re: [ok] [Full-Disclosure] Possible Virus/Trojan
From: Charles Heselton <charles.heselton@xxxxxxxxx>
Date: Mon, 26 Jul 2004 19:21:02 -0700

On Mon, 26 Jul 2004 08:08:27 -0500, Todd Towles
<toddtowles@xxxxxxxxxxxxxxx> wrote:
> Sorry guys, I just noticed in my Outlook that the attachment name was really
> "New Southern California wildfire erupts.avi (spaces) .exe"
> 
> It was released to me after being blocked, but Outlook blocks access to exe
> files. Therefore I don't have a direct copy of it to look into. I am trying
> to find another copy somewhere.
> 
> That means the file name was the same as the header. If I was going to
> custom make a fake e-mail to send to one person, it wouldn't be so
> automatically looking.
> 
> 
> 
> 
> -----Original Message-----
> From: Andrew Farmer [mailto:andfarm@xxxxxxxxxxxx]
> Sent: Sunday, July 25, 2004 6:06 PM
> To: Curt Purdy
> Cc: 'Mailing List - Full-Disclosure'; 'Todd Towles'
> Subject: Re: [ok] [Full-Disclosure] Possible Virus/Trojan
> 
> On 25 Jul 2004, at 12:06, Curt Purdy wrote:
> > Todd Towles  wrote:
> >> I received an e-mail today that looked very much like a virus. Here
> >> is the message
> >>
> >> Attachment - erupts.avi.exe
> >
> >> Subject - New Southern California wildfire erupts
> >
> > <snip>
> >
> >> Either this is a new Trojan that changes it body and subject based on
> >> the current  AP  news or someone used a very lame trick against me.
> >> =)
> >
> > I'm guessing the latter.  Although story scraping would be possible,
> > intellegent naming of the .exe would not be.  Most likely a friend...
> > or
> > enemy.
> 
> Sure it would be. In this case, at least, the executable is just named
> based on the last word of the headline plus ".avi.exe".
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
Sounds like a variant of the new MyDoom.  MyDoom.M (as named by
Symantec) grabs email domains, then does a google search for other
email addy's in the same domain.  I would be more or less trivial to
craft the filename/subject from something pulled off of a "current
event search".

-- 
Charlie Heselton
Network Security Engineer

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- RE: [ok] [Full-Disclosure] Possible Virus/Trojan
  - From: Todd Towles

Prev by Date: RE: [ok] [Full-Disclosure] Possible Virus/Trojan
Next by Date: Re: [Full-Disclosure] (no subject)
Previous by thread: RE: [ok] [Full-Disclosure] Possible Virus/Trojan
Next by thread: RE: [ok] [Full-Disclosure] Possible Virus/Trojan
Index(es):
- Date
- Thread