Hosting Provided By

Re: klez variant??

From: Nick FitzGerald <nick(at)virus-l.demon.co.uk>
Date: Fri Jan 31 2003 - 22:19:11 EST

Peter Snell <PSnell@daymon.com> wrote:

> Over the past 2 days, we have been seeing a resurgence of Klez type

I've not looked into the details of this in the lab, but might what you're describing be related to this recent warning from MessageLabs about Outlook weirdness with specially formulated "triple extension" filenames in MIME atatchments??

http://www.messagelabs.com/viruseye/report.asp?id=130

Outlook quirks being exploited by viruses and trojans

With the advances being made in content filtering techniques, virus authors and trojan writers are now resorting to exploiting the veiled quirkiness of our email software to further consolidate their social engineering tactics.

...

If you still have a copy of one of those Emails, you may also consider forwarding it to your preferred AV developers for further analysis in case there is obfuscated malware included. Here is a list of the sample submission addresses of the better known AV developers to save you looking them up:

   Command Software             <virus@commandcom.com>
   Computer Associates (US)     <virus@ca.com>
   Computer Associates (Vet/EZ) <ipevirus@vet.com.au>
   DialogueScience (Dr. Web)    <Antivir@dials.ru>
   Eset (NOD32)                 <sample@nod32.com>
   F-Secure Corp.               <samples@f-secure.com>
   Frisk Software (F-PROT)      <viruslab@f-prot.com>
   Grisoft (AVG)                <virus@grisoft.cz>
   H+BEDV (AntiVir):            <virus@antivir.de>
   Kaspersky Labs               <newvirus@kaspersky.com>
   Network Associates (McAfee)  <virus_research@nai.com>
   Norman (NVC)                 <analysis@norman.no>
   Sophos Plc.                  <support@sophos.com>
   Symantec (Norton)            <avsubmit@symantec.com>
   Trend Micro (PC-cillin)      <virus_doctor@trendmicro.com>
     (Trend may only accept files from registered users of its products)

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com

Received on Sun Feb 2 11:51:04 2003

Do you need help?

This message: [ Message body ]
Next message: Steven Dietz: "Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Previous message: Tomasz Papszun: "Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
In reply to: Peter Snell: "klez variant??"
In reply to James C Slora Jr: "RE: klez variant??"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:57 EDT