Hosting Provided By

RE: Virus? Trojan?

From: James C Slora Jr <Jim.Slora(at)phra.com>
Date: Fri Jan 10 2003 - 10:39:45 EST

David Gillett wrote Monday, December 30, 2002 5:03 PM

> So far today, I've received two email messages from

> which, apparently, claimed in its HELO message to *be*
> our local MX (which of course was who it was talking TO).
> Sounds to me like a bug in the sending software.

> The other thing these messages had in common was a
> 33KB .scr ("screen saver") executable attachment.
> Norton doesn't recognize this as a known threat, but
> I don't want to be the first to learn the hard way what
> it does.

I've gotten 4 more Yaha-M-infected messages from this same source today. I received a few at around the same time you did, starting December 31 when Yaha-M had not yet been listed. The sender must have one of the first infected computers. They may be a member of this list or someone who visits the list archives.

Since the infections are still coming I've notified the administrator of zeelandnet.nl - hopefully they will hunt the user down and help them clear the infection.

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Sun Jan 12 15:42:58 2003

This message: [ Message body ]
Next message: Rogelio Vidaurri Courcelle: "Hacked web server"
Previous message: GertJan Hagenaars: "Re: Curious "spam" (or broken viral payload)..."
In reply to: David Gillett: "Virus? Trojan?"
In reply to Nick FitzGerald: "Re: Virus? Trojan?"
Next in thread: Nick FitzGerald: "RE: Virus? Trojan?"
Reply: Nick FitzGerald: "RE: Virus? Trojan?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:56 EDT