python script as an emergency mailbox cleaner

Phil Weldon pweldon at mindspring.com
Sat Sep 20 18:34:24 CEST 2003


No, it is only one worm with multiple methods of attack.

#1.  The fake 'security update' announcement purporting to be from Microsoft
(this e-mail is in HTML) and that includes an infected attachment.  If you
don't have protection, opening this e-mail runs the attachment even if you
don't run it.  So far the body of this vector doesn't vary, though the
header information does.

#2.  The bogus 'Undeliverable e-mail' message in which everything seems to
vary except, so far, the infected attachment that purports to be your
bounced e-mail.

#3.  The worm scans PtoP file-sharing data to spread further.

#4.  The worm hijacks servers to act as a source from which to download
packages to vary the infectious e-mail.

#5. The worm can post to usenet.  Here's the header of a post that appeared
this morning on alt.comp.periphs.mainboard.abit

Path:
newsspool1.news.atl.earthlink.net!stamper.news.atl.earthlink.net!elnk-atl-nf
1!newsfeed.earthlink.net!newshosting.com!news-xfer2.atl.newshosting.com!prox
ad.net!proxad.net!news-hub.cableinet.net!blueyonder!internal-news-hub.cablei
net.net!news-binary.blueyonder.co.uk.POSTED!53ab2750!not-for-mail
FROM: "Clive Skingle" <mufchfohaauqze_qset at ykmke.com>
NEWSGROUPS:
alt.comp.lang.php,alt.comp.mail.postfix,alt.comp.mail.qmail,alt.comp.malaysi
a,alt.comp.periphs.cdr,alt.comp.periphs.mainboard.abit,alt.comp.periphs.main
board.asus,alt.comp.periphs.mainboard.gigabyte,alt.comp.periphs.videocards.a
ti
SUBJECT: Watch this critical update from the M$
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="hilghfawbnhbqydk"
Lines: 2182
Message-ID: <3RWab.214$_z.9 at news-binary.blueyonder.co.uk>
Date: Sat, 20 Sep 2003 11:27:59 GMT
NNTP-Posting-Host: 82.32.208.238
X-Complaints-To: abuse at blueyonder.co.uk
X-Trace: news-binary.blueyonder.co.uk 1064057279 82.32.208.238 (Sat, 20 Sep
2003 11:27:59 GMT)
NNTP-Posting-Date: Sat, 20 Sep 2003 11:27:59 GMT
Organization: blueyonder (post doesn't reflect views of blueyonder)
Xref: news.earthlink.net alt.comp.lang.php:12068 alt.comp.mail.qmail:7299
alt.comp.malaysia:17767 alt.comp.periphs.cdr:403271
alt.comp.periphs.mainboard.abit:567500
alt.comp.periphs.mainboard.asus:661135
alt.comp.periphs.mainboard.gigabyte:41619
alt.comp.periphs.videocards.ati:145487
X-Received-Date: Sat, 20 Sep 2003 04:28:01 PDT
(newsspool1.news.atl.earthlink.net)

Phil Weldon, pweldon at mindspring.com


"John Roth" <newsgroups at jhrothjr.com> wrote in message
news:vmorgph6n3lg12 at news.supernews.com...
>
> "Phil Weldon" <pweldon at mindspring.com> wrote in message
> news:ZCZab.45450$Aq2.39773 at newsread1.news.atl.earthlink.net...
> > It's a worm.  Worm.Automat.AGH.  This is going to be a bad one.  The
worm
> > installs, among other things, an SMPT engine, searches an infected
system
> > for email address, and sends two types of e-mail:  the first is HTML and
> is
> > a fake "security patch" supposedly from Microsoft.  It looks very
> official,
> > but the attachment, 104 KBytes long, is infectious.  Norton Antivirus
> > definitions only began to identify it with the 18SEP03 manual definition
> > update.  The worm also posts to usenet newsgroups.  The other type of
> e-mail
> > is a fake notification of undeliverable e-mail.  This one is a real
bear.
> > There seem to be hundreds variations in the body content and thousands
of
> > variations in the header.  The infectious package is also about 104
> KBytes.
> > I'm getting nearly 100 of the two types per hour.  Norton Antivirus does
> not
> > detect the worm in usnet posts read by Outlook Express Newsreader or
> Outlook
> > Newsreader.  Only when you attempt to open the attachment or save the
> > attachment to disk will Norton identify it.  Norton will NOT detect the
> > virus in the newsgroup posts folder NOR will it detect the newsgroup
> folder
> > in a full system scan.  It will not remove the infected file from the
> > newsgroup folder, but it will prevent execution of the vermal payload.
> >
> > Microsoft Outlook with the SP3 security update when used as your e-mail
> > reader protects against infection.  Prior to 18SEP03 Norton did not.
> >
> > The worm is also retrieving additional variations, so you can expect the
> > payload size to begin changing soon.  The HTML message is easy to
> identify;
> > it is always the same (so far), and includes the phrase 'Run attached
> file'.
> > The bogus 'Undeliverable e-mail' variations have no commonality but the
> > payload attachment (that purports to be your bounced e-mail.)  This will
> > likley change soon.
> >
> > My guess is that the internet will not open on Monday.
>
> So far, I have seen no copies of the worm on usenet. This may be
> the result of my paying $$$ to a good usenet provider (Supernews.)
> Unfortunately, my e-mail provider got the stupid idea that "delete"
> meant "save a complete copy for 14 days just in case you want
> to see it." Most of the stuff is going into two mailboxes that I need
> to clean out manually every two or three hours (they're not my inbox,
> so the POP3 script won't do it.)
>
> It looks like two worms that just happened to hit at one time,
> doesn't it?
>
> John Roth
>
>
>






More information about the Python-list mailing list