python script as an emergency mailbox cleaner
pweldon at mindspring.com
Sat Sep 20 18:34:24 CEST 2003
No, it is only one worm with multiple methods of attack.
#1. The fake 'security update' announcement purporting to be from Microsoft
(this e-mail is in HTML) and that includes an infected attachment. If you
don't have protection, opening this e-mail runs the attachment even if you
don't run it. So far the body of this vector doesn't vary, though the
header information does.
#2. The bogus 'Undeliverable e-mail' message in which everything seems to
vary except, so far, the infected attachment that purports to be your
#3. The worm scans PtoP file-sharing data to spread further.
#4. The worm hijacks servers to act as a source from which to download
packages to vary the infectious e-mail.
#5. The worm can post to usenet. Here's the header of a post that appeared
this morning on alt.comp.periphs.mainboard.abit
FROM: "Clive Skingle" <mufchfohaauqze_qset at ykmke.com>
SUBJECT: Watch this critical update from the M$
Content-Type: multipart/mixed; boundary="hilghfawbnhbqydk"
Message-ID: <3RWab.214$_z.9 at news-binary.blueyonder.co.uk>
Date: Sat, 20 Sep 2003 11:27:59 GMT
X-Complaints-To: abuse at blueyonder.co.uk
X-Trace: news-binary.blueyonder.co.uk 1064057279 22.214.171.124 (Sat, 20 Sep
2003 11:27:59 GMT)
NNTP-Posting-Date: Sat, 20 Sep 2003 11:27:59 GMT
Organization: blueyonder (post doesn't reflect views of blueyonder)
Xref: news.earthlink.net alt.comp.lang.php:12068 alt.comp.mail.qmail:7299
X-Received-Date: Sat, 20 Sep 2003 04:28:01 PDT
Phil Weldon, pweldon at mindspring.com
"John Roth" <newsgroups at jhrothjr.com> wrote in message
news:vmorgph6n3lg12 at news.supernews.com...
> "Phil Weldon" <pweldon at mindspring.com> wrote in message
> news:ZCZab.45450$Aq2.39773 at newsread1.news.atl.earthlink.net...
> > It's a worm. Worm.Automat.AGH. This is going to be a bad one. The
> > installs, among other things, an SMPT engine, searches an infected
> > for email address, and sends two types of e-mail: the first is HTML and
> > a fake "security patch" supposedly from Microsoft. It looks very
> > but the attachment, 104 KBytes long, is infectious. Norton Antivirus
> > definitions only began to identify it with the 18SEP03 manual definition
> > update. The worm also posts to usenet newsgroups. The other type of
> > is a fake notification of undeliverable e-mail. This one is a real
> > There seem to be hundreds variations in the body content and thousands
> > variations in the header. The infectious package is also about 104
> > I'm getting nearly 100 of the two types per hour. Norton Antivirus does
> > detect the worm in usnet posts read by Outlook Express Newsreader or
> > Newsreader. Only when you attempt to open the attachment or save the
> > attachment to disk will Norton identify it. Norton will NOT detect the
> > virus in the newsgroup posts folder NOR will it detect the newsgroup
> > in a full system scan. It will not remove the infected file from the
> > newsgroup folder, but it will prevent execution of the vermal payload.
> > Microsoft Outlook with the SP3 security update when used as your e-mail
> > reader protects against infection. Prior to 18SEP03 Norton did not.
> > The worm is also retrieving additional variations, so you can expect the
> > payload size to begin changing soon. The HTML message is easy to
> > it is always the same (so far), and includes the phrase 'Run attached
> > The bogus 'Undeliverable e-mail' variations have no commonality but the
> > payload attachment (that purports to be your bounced e-mail.) This will
> > likley change soon.
> > My guess is that the internet will not open on Monday.
> So far, I have seen no copies of the worm on usenet. This may be
> the result of my paying $$$ to a good usenet provider (Supernews.)
> Unfortunately, my e-mail provider got the stupid idea that "delete"
> meant "save a complete copy for 14 days just in case you want
> to see it." Most of the stuff is going into two mailboxes that I need
> to clean out manually every two or three hours (they're not my inbox,
> so the POP3 script won't do it.)
> It looks like two worms that just happened to hit at one time,
> doesn't it?
> John Roth
More information about the Python-list