RE: W32.HLLW.Cult.C@mm worm

From: Mason, Samuel <smason(at)state.mt.us>
Date: Wed May 07 2003 - 12:10:19 EDT

Kevin,

Just FYI, McAfee/NAI lists that worm as "W32/Lanet@MM". It has been detected since DAT 4255 releasd 4/2/2003.

http://vil.nai.com/vil/content/v_100218.htm

Samuel Mason
Information Technology Security Office
State of Montana  

-----Original Message-----

From: Kevin Patz [mailto:jambo_cat@yahoo.com] Sent: Wednesday, May 07, 2003 8:01 AM
To: focus-virus@securityfocus.com
Subject: W32.HLLW.Cult.C@mm worm

Over the past few days I've been receiving emails

masquerading as Blue Mountain e-cards with a .pif file

attached. NAV detects this .pif file as infected with

W32.HLLW.Cult.C@mm. I'm receiving them on both of my

attbi.com (now Comcast) addresses. At first I thought

maybe someone was infected and sending me the worm

repeatedly, but after inspecting the headers, it

appears that each copy was sent from a different IP

address. All of the IP addresses resolve to

client.attbi.com or client2.attbi.com subscriber host

names. What's even weirder is most of them are coming

to an address which I've never used except to forward

email from another address into, so no one in theory

would have that address in their address books, web

caches, email files, etc.

Since the worm fabricates "From" addresses from a pre-

defined list, I can't determine the email addresses of

the senders to notify them.

Lastly, it seems like this worm isn't well known

amongst the antivirus community. Norton/Symantec has

had definitions for it for a month now, but they rate

it a category 2 with a low "wild" rating, meaning they

have had few submissions. Mcafee and F-Secure have no

information at all on their web sites, and when I

tried forwarding one of the messages to my Hotmail

address, their Mcafee-based virus scanner didn't

report the attachment as infected.

If this continues for another day I'll contact

Comcast, but in the meantime I was wondering if anyone

on here has been experiencing this as well, especially

if you're on attbi/Comcast.

Here's Symantec's writeup. Note that they claim that

the addresses the worms sends to are randomly

generated. Actually it's the "from" addresses that

are generated in this fashion. The "To" addresses are

probably harvested from files on the infected machine,

such as address books, etc.

http://securityresponse.symantec.com/avcenter/venc/data

/w32.hllw.cult.c@mm.html

Here's the IPs/hostnames I've received infected emails

from so far:

h00a0cc73eea1.ne.client2.attbi.com 24.91.118.215

h00107a685cb6.ne.client2.attbi.com 24.62.160.134

12-247-70-25.client.attbi.com 12.247.70.25

12-252-155-156.client.attbi.com 12.252.155.156

c-66-56-38-167.atl.client2.attbi.com 66.56.38.167

12-229-12-66.client.attbi.com 12.229.12.66

12-254-157-107.client.attbi.com 12.254.157.107

c-24-127-155-15.we.client2.attbi.com 24.127.155.15

12-238-232-107.client.attbi.com 12.238.232.107

h0000e85b3bbd.ne.client2.attbi.com 24.91.80.35

c-24-99-88-37.atl.client2.attbi.com 24.99.88.37

h00d00951617b.ne.client2.attbi.com 24.128.141.116

12-241-207-120.client.attbi.com 12.241.207.120

Thanks... KJP

---

Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-focus-virus

---

---

Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-focus-virus

---

Received on Thu May 8 11:40:29 2003