Welcome to SecurityForumz.com!
FAQFAQ      ProfileProfile    Private MessagesPrivate Messages   Log inLog in

Possible New Varient

  
   Security Forums (Home) -> General Discussions RSS
Next:  A question about swen  
Author Message
W.S. Blevins

External


Since: Sep 19, 2003
Posts: 45



(Msg. 1) Posted: Fri Sep 19, 2003 11:26 pm
Post subject: Possible New Varient
Imported from groups: alt>comp>virus (more info?)
This message is not archived

 >> Stay informed about: Possible New Varient 
Back to top
Login to vote
Ted Davis

External


Since: Aug 20, 2003
Posts: 43



(Msg. 2) Posted: Fri Sep 19, 2003 11:26 pm
Post subject: Re: Possible New Varient [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
On Fri, 19 Sep 2003 23:26:21 GMT, W.S. Blevins <wsblevins RemoveThis @mchsi.com>
wrote:

>Among the hoards of infected emails received today, one executable
>attachment made it past Nod32 and KAV. It was attached to the standard
>MS update bullshit message. File was submitted to all reputable AV
>companies. It should be interesting to see what it is.

I saw a new variant about 2:45 PM CDT today (Friday) - I got 22 copies
within 6 minutes ... all with the same From: address. A few minutes
later I had a signature in my homemade virus trap and I never saw
another. The on-demand scanner on the server didn't catch them, but
the (later version, supposedly same data file) one on my workstation
did.


T.E.D. (tdavis@gearbox.maem.umr.edu - e-mail must contain "T.E.D." or my .sig in the body)

 >> Stay informed about: Possible New Varient 
Back to top
Login to vote
William Ehrich

External


Since: Sep 19, 2003
Posts: 1



(Msg. 3) Posted: Fri Sep 19, 2003 11:26 pm
Post subject: Re: Possible New Varient [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
How does the swen bounce message work? I don't get any attachment and the
iframe src is just a random looking character string.

-- Bill Ehrich
 >> Stay informed about: Possible New Varient 
Back to top
Login to vote
Ted Davis

External


Since: Aug 20, 2003
Posts: 43



(Msg. 4) Posted: Sat Sep 20, 2003 11:11 am
Post subject: Re: Possible New Varient [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
On Fri, 19 Sep 2003 21:11:07 -0500, William Ehrich <abc.TakeThisOut@def.invalid>
wrote:

>How does the swen bounce message work? I don't get any attachment and the
>iframe src is just a random looking character string.

As I understand it, there are two ways to get a bounce looking
message: the virus itself generates some, and some are real bounce
messages incorrectly sent to the person who address was stolen by the
virus to use as the From: address. Server managers are getting better
about those bounce messages - the word seems to have gotten to them
(perhaps because they got huge numbers of wrong bounce messages
themselves the last go-around) that sending them out is
counterproductive. Also, a larger number of servers have filters that
strip the virus any time one enters the server, instead of just on
outgoing messages to valid users. there never was any point in
returning an attachment to the sender of a message to an invalid
address - if the attachment is innocent, the sender already has a
copy, and if it's a virus or worm, the (supposed) sender probably
doesn't want it.


T.E.D. (tdavis@gearbox.maem.umr.edu - e-mail must contain "T.E.D." or my .sig in the body)
 >> Stay informed about: Possible New Varient 
Back to top
Login to vote
Display posts from previous:   
Related Topics:
new doom varient? - no i did not open the attached file. my av missed it but so did alot of the av's at virus total. but i thought this method was all but over in favor of password protected infected attachments. "Attention: ** - 10:45:22 PM - 6/2/2007 - This is an..

New virus (price.cpl - Bagle varient) and current Virus-To.. - This came in via e-mail today. Got past Symantec Corporate AV running on our server. I ran this through Virus Total earlier today (about 8-10 hours ago) and I think only 6 AV programs identified it. Many more are doing so now. The file (price2.zip)..

Netspy trogan - Hi all, new here and I think I got a problem? My Norton firewall reports a trogan and here is the information: Netspy Trogan Horse program: windows.exe protocol: TCP inbound remote address 127.0.0.1:3012 Local address: all local adapters:1024 I don't....

about virus - Hello, Help me please. When I browse internet, I often get virus warning messages: Virus name: W32/Deloder.worm Infected file: C:\WINNT\system32\Dvldr32.exe and Virus name: BackDoor-ARG.dr Infected file: C:\WINNT\system32\inst.exe Neither files can be....

Virus SW registration for updates - I have an older version of Norton Antivirus that Norton no longer supports. I do not have to pay a subscription for updating my .dat files. Does all of the newer Software require that users pay such a subscription? Would anyone have any idea why Norto...
   Security Forums (Home) -> General Discussions All times are: Pacific Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



[ Contact us | Terms of Service/Privacy Policy ]