Hosting Provided By

W32.HLLW.Cult.C@mm worm

From: Kevin Patz <jambo_cat(at)yahoo.com>
Date: Wed May 07 2003 - 10:01:06 EDT

('binary' encoding is not supported, stored as-is)

Over the past few days I've been receiving emails masquerading as Blue Mountain e-cards with a .pif file attached. NAV detects this .pif file as infected with W32.HLLW.Cult.C@mm. I'm receiving them on both of my attbi.com (now Comcast) addresses. At first I thought maybe someone was infected and sending me the worm repeatedly, but after inspecting the headers, it appears that each copy was sent from a different IP address. All of the IP addresses resolve to client.attbi.com or client2.attbi.com subscriber host names. What's even weirder is most of them are coming to an address which I've never used except to forward email from another address into, so no one in theory would have that address in their address books, web caches, email files, etc.

Since the worm fabricates "From" addresses from a predefined list, I can't determine the email addresses of the senders to notify them.

Lastly, it seems like this worm isn't well known amongst the antivirus community. Norton/Symantec has had definitions for it for a month now, but they rate it a category 2 with a low "wild" rating, meaning they have had few submissions. Mcafee and F-Secure have no information at all on their web sites, and when I tried forwarding one of the messages to my Hotmail address, their Mcafee-based virus scanner didn't report the attachment as infected.

If this continues for another day I'll contact Comcast, but in the meantime I was wondering if anyone on here has been experiencing this as well, especially if you're on attbi/Comcast.

Here's Symantec's writeup. Note that they claim that the addresses the worms sends to are randomly generated. Actually it's the "from" addresses that are generated in this fashion. The "To" addresses are probably harvested from files on the infected machine, such as address books, etc.
http://securityresponse.symantec.com/avcenter/venc/data /w32.hllw.cult.c@mm.html

Here's the IPs/hostnames I've received infected emails from so far:

h00a0cc73eea1.ne.client2.attbi.com   24.91.118.215
h00107a685cb6.ne.client2.attbi.com   24.62.160.134
12-247-70-25.client.attbi.com        12.247.70.25
12-252-155-156.client.attbi.com      12.252.155.156
c-66-56-38-167.atl.client2.attbi.com 66.56.38.167
12-229-12-66.client.attbi.com        12.229.12.66
12-254-157-107.client.attbi.com      12.254.157.107
c-24-127-155-15.we.client2.attbi.com 24.127.155.15
12-238-232-107.client.attbi.com      12.238.232.107
h0000e85b3bbd.ne.client2.attbi.com   24.91.80.35
c-24-99-88-37.atl.client2.attbi.com  24.99.88.37
h00d00951617b.ne.client2.attbi.com   24.128.141.116
12-241-207-120.client.attbi.com      12.241.207.120

Thanks... KJP

Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-focus-virus

Received on Wed May 7 10:30:05 2003

This message: [ Message body ]
Next message: Mason, Samuel: "RE: W32.HLLW.Cult.C@mm worm"
Previous message: Marc Fossi: "Article Announcement: Madonna's Borderline MP3 Tactics"
Next in thread: Axel Pettinger: "Re: W32.HLLW.Cult.C@mm worm"
Reply: Axel Pettinger: "Re: W32.HLLW.Cult.C@mm worm"
Reply: De Velopment: "Re: W32.HLLW.Cult.C@mm worm"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:39 EDT

Do you need help?