[IP] more on New Horizons in spam and virii ~ "new price"

To: Ip <ip@xxxxxxxxxxxxxx>
Subject: [IP] more on New Horizons in spam and virii ~ "new price"
From: David Farber <dave@xxxxxxxxxx>
Date: Mon, 9 Aug 2004 18:01:35 -0400
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
Reply-to: dave@xxxxxxxxxx
Sender: owner-ip@xxxxxxxxxxxxxx



Begin forwarded message:

From: Dan Updegrove <updegrove@xxxxxxxxxxxxxxx>
Date: August 9, 2004 5:45:51 PM EDT
To: dave@xxxxxxxxxx
Subject: Re: [IP] New Horizons in spam and virii ~ "new price"

 Dave,

McAfee identifies "new price" as W32/Bagle.AQ@MM, a mass-mailing worm,which


- contains its own SMTP engine to construct outgoing messages
 - harvests email addresses from the victim machine
 - the From: address of messages is spoofed
 - attachment is a zip file, which contains an EXE and HTML file
 - contains a remote access component (notification is sent to hacker)

- copies itself to folders that have the phrase shar in the name (suchas common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)


 Useful write-up at

<http://vil.nai.com/vil/content/v_127423.htm>.

 Regards,
 Dan


 At 04:32 PM 8/9/2004, you wrote:



Begin forwarded message:

 From: hal@xxxxxxxxxxxxxx
 Date: August 9, 2004 5:15:43 PM EDT
 To: dave@xxxxxxxxxx
 Subject: Re: [IP] New Horizons in spam and virii


(P.S. -- I've also gotten several copies of an unidentified
 virus that says "new price" - the payload has the name
 price.zip or price2.zip.)

 I also got the price.zip file -- it contains two files, one
 called price.exe and one called price.html.  Checked with the
 folks at CERT and they said they've only had reports on the
 virus in the last couple of days and they're examining a
 sample that was sent to them.  They're still not sure what it
 does but said the html file seems to be some sort of
 javascript that actitvates the .exe file.  Couldln't find
 anything about it doing a general Google search or a Google
 search on both the F-Prot and TrendMicro sites.

 If anyone has any more info on this particular bit of
 mischief, I'd be interested to hear it.


 VP  for Information Technology          Phone (512) 232-9610
 The University of Texas at Austin       Fax (512) 232-9607
 FAC 248 (Mail code: G9800)              d.updegrove@xxxxxxxxxxxxxx

P.O. Box 7407 http://wnt.utexas.edu/~danu/

 Austin, TX 78713-7407

-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] McNamara interpreted [by jsq]
Next by Date: [IP] Big Business Becoming Big Brother
Previous by thread: [IP] McNamara interpreted [by jsq]
Next by thread: [IP] Mental Health Screening for All Americans Proposed?
Index(es):
- Date
- Thread