python script as an emergency mailbox cleaner

Phil Weldon pweldon at
Sat Sep 20 18:34:24 CEST 2003

No, it is only one worm with multiple methods of attack.

#1.  The fake 'security update' announcement purporting to be from Microsoft
(this e-mail is in HTML) and that includes an infected attachment.  If you
don't have protection, opening this e-mail runs the attachment even if you
don't run it.  So far the body of this vector doesn't vary, though the
header information does.

#2.  The bogus 'Undeliverable e-mail' message in which everything seems to
vary except, so far, the infected attachment that purports to be your
bounced e-mail.

#3.  The worm scans PtoP file-sharing data to spread further.

#4.  The worm hijacks servers to act as a source from which to download
packages to vary the infectious e-mail.

#5. The worm can post to usenet.  Here's the header of a post that appeared
this morning on alt.comp.periphs.mainboard.abit

FROM: "Clive Skingle" <mufchfohaauqze_qset at>
SUBJECT: Watch this critical update from the M$
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="hilghfawbnhbqydk"
Lines: 2182
Message-ID: <3RWab.214$_z.9 at>
Date: Sat, 20 Sep 2003 11:27:59 GMT
X-Complaints-To: abuse at
X-Trace: 1064057279 (Sat, 20 Sep
2003 11:27:59 GMT)
NNTP-Posting-Date: Sat, 20 Sep 2003 11:27:59 GMT
Organization: blueyonder (post doesn't reflect views of blueyonder)
Xref: alt.comp.lang.php:12068 alt.comp.mail.qmail:7299
alt.comp.malaysia:17767 alt.comp.periphs.cdr:403271
X-Received-Date: Sat, 20 Sep 2003 04:28:01 PDT

Phil Weldon, pweldon at

"John Roth" <newsgroups at> wrote in message
news:vmorgph6n3lg12 at
> "Phil Weldon" <pweldon at> wrote in message
> news:ZCZab.45450$Aq2.39773 at
> > It's a worm.  Worm.Automat.AGH.  This is going to be a bad one.  The
> > installs, among other things, an SMPT engine, searches an infected
> > for email address, and sends two types of e-mail:  the first is HTML and
> is
> > a fake "security patch" supposedly from Microsoft.  It looks very
> official,
> > but the attachment, 104 KBytes long, is infectious.  Norton Antivirus
> > definitions only began to identify it with the 18SEP03 manual definition
> > update.  The worm also posts to usenet newsgroups.  The other type of
> e-mail
> > is a fake notification of undeliverable e-mail.  This one is a real
> > There seem to be hundreds variations in the body content and thousands
> > variations in the header.  The infectious package is also about 104
> KBytes.
> > I'm getting nearly 100 of the two types per hour.  Norton Antivirus does
> not
> > detect the worm in usnet posts read by Outlook Express Newsreader or
> Outlook
> > Newsreader.  Only when you attempt to open the attachment or save the
> > attachment to disk will Norton identify it.  Norton will NOT detect the
> > virus in the newsgroup posts folder NOR will it detect the newsgroup
> folder
> > in a full system scan.  It will not remove the infected file from the
> > newsgroup folder, but it will prevent execution of the vermal payload.
> >
> > Microsoft Outlook with the SP3 security update when used as your e-mail
> > reader protects against infection.  Prior to 18SEP03 Norton did not.
> >
> > The worm is also retrieving additional variations, so you can expect the
> > payload size to begin changing soon.  The HTML message is easy to
> identify;
> > it is always the same (so far), and includes the phrase 'Run attached
> file'.
> > The bogus 'Undeliverable e-mail' variations have no commonality but the
> > payload attachment (that purports to be your bounced e-mail.)  This will
> > likley change soon.
> >
> > My guess is that the internet will not open on Monday.
> So far, I have seen no copies of the worm on usenet. This may be
> the result of my paying $$$ to a good usenet provider (Supernews.)
> Unfortunately, my e-mail provider got the stupid idea that "delete"
> meant "save a complete copy for 14 days just in case you want
> to see it." Most of the stuff is going into two mailboxes that I need
> to clean out manually every two or three hours (they're not my inbox,
> so the POP3 script won't do it.)
> It looks like two worms that just happened to hit at one time,
> doesn't it?
> John Roth

More information about the Python-list mailing list