lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.58.0407191447120.26361@well.com>
From: vvandal at well.com (Vic Vandal)
Subject: New MyDoom or Netsky variant?

Anyone seeing what looks like a brand new MyDoom variant?
Comes in e-mail as a message.zip, extracts to a message.doc
followed by a LOT of spaces and then a .pif extension.
I've only started to look at the encoded attachment, but
someone who opened it had a LSASS.EXE start up and take
about 96% CPU utilization.  I scanned the offending Outlook
attachment with the latest Symantec sigs, but it didn't recognize
it.  The .pif appears to be packed with UPX.

I'm tempted to infect my own machine to study the effects, but
would rather not do so and find out it's eaten a bunch of my
work I don't have time to back up.  But the infected user has
shut down his machine and left, so I can't study it there either.
I do have the Exchange admin trying to filter mail with the
attachment for the moment.

I see another e-mail from the infected, with a tgy.zip attachment
I have yet to start to dissect.  I did a Google search on that,
with no results.

It's not much fun running around in circles with your hair on
fire.  Thank the stars that all my personal e-mail comes to a
SunOS box - 15 years without a single infection!

Vic


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ