[<prev] [next>] [day] [month] [year] [list]
Message-ID: <8461EB70DEC9D211A7D90090273FC2DDB0CCF1@mail.333tech.com>
From: shalligan at 333tech.com (Steve Halligan)
Subject: Automat? Was (Re: new virus: )
This is all the Swen.a (aka Gibe.a) virus. I have seen hundreds of
these today, with various message bodies and various filenames.
Some of the message bodies contain a mime exploit to try to
automatically execute the attachment, some don't.
Some appear to come from MS, some look like mailer bounces or errors.
But they all contain the same attached executable payload.
The MD5 of the payload is b09e26c292759d654633d3c8ed00d18d
-steve
ps. If you can set your MTA to discard or reject messages based on a
regexp body check here is a regexp for ya:
/^8TPbiV38OV4IdC6LBolF4DvDdBSLeESJfeSJRdxQ6AOPAABZi8fr5YleCIkeiV4E6wdqAV
jDi2Xo$/
> Following up my own post:
> --------------------------------------------------------------
> There is no virus known to us by this name. However, Norton Anti-Virus
> uses names like W97M.Automat. to name viruses which have
> been detected
> automatically.
>
> VARIANT: Automat.K
> --------------------------------------------------------------
>
> So it looks new.
>
> ...Eric
>
>
>
> On Fri, 19 Sep 2003 disclosure@...tope.com wrote:
>
> > Check out Usenet or Google groups, lots of autospam
> postings about this to
> > news.admin.net-abuse.sightings.
> >
> > One says:
> >
> > hqbkyk.exe was infected with the malicious virus
> Worm.Automat.AHB and
> > has been deleted because the file cannot be cleaned.
> >
> > ...Eric
> >
> >
> > On Fri, 19 Sep 2003, Ron Clark wrote:
> >
Powered by blists - more mailing lists