Hi group

Since today around 2pm GMT+1 I'm getting multiple copies of the
following e-mail

Subject: Important information for you. Read it immediately !

It's very short and basically contains this:

--xxxx
Content-Type: text/html;
Content-Transfer-Encoding: 7bit

<FONT color=red size=15><CENTER>Hi !</CENTER></FONT><BR>
Here is my photo, that you asked for yesterday.<BR><iframe
src=domain_marker WIDTH=1 HEIGHT=1></iframe>
--xxxx

Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="myphoto.zip"

UEsDBAoAAAAAAFZ2ai/+n7Ua2kMAANpDAABHAAAAbXlwaG90by5q

The "myphoto.zip" comes in two variants. A very short one, and a
bigger one. I decoded the bigger (23KB base64 encoded, binary size
~17KB) one into a file and it clearly showes executeable code. It
therefore must be some sort of worm cause I can see SMTP protocol
related strings in there. Is this an "oldie" or something new?

Is there a place where I can drop the binary to be examined by
experts?

TIA

Markus

On Thu, 29 Jan 2004 23:33:15 +0100, Markus Zingg <m.zingg@nct.ch>
wrote:

I dunno if someone will recognize it or not. There are several file
upload sites you can use to get up to date antivirus scans of the
files:

http://www.claymania.com/anti-virus.html

If the av products don't produce an alert, the next step is to send
the suspect files zipped to your favorite av vendor for analysis.
Someone here usually posts a list of vendors and their _submit_ email
addys every so often.

If you wish, I'll be happy to scan the files with several different
top notch av scanners. My addy is artnpeg at epix dot net


Art
http://www.epix.net/~artnpeg

Free MyDoom removal tool from
Kaspersky Labs:
http://www.kaspersky.com/

Taff............

On Thu, 29 Jan 2004 23:33:15 +0100, Markus Zingg <m.zingg@nct.ch>
wrote:




www.sounds-pa.com | www.thecomputerworkshop.com

I can answer it myself :-) It's "dumaru.y". The funny thing is though
that I really get it sent to me once every hour... Strange isnt it? I
of course also get MyDooms (326 so far) but I haven't gotten a single
dumaru.y before and now so massively...

Markus

"taff" <taff@the-valleys.com> wrote in message
news:0h5j10534f8kj3n32vrvn8sc27pq6j17mm@4ax.com...
This is nonsense. He doesn't need the tool if he didn't run the virus. Plus,
he's using Forte Agent which isn't susceptible to the MIME exploit.

How about posting a link to the virus writeup rather than a tool?

-Tim

here is copy of a message i sent to my friends
i think it fits in here
-max

hey everybody-

just a reminder to update your Anti-Virus and Windows System.There are 3 new
worms out last week targeting winXP.Here is some links to E-WEEK and ZDnet
articles that talk about them:

"Anti-virus specialist Kaspersky Labs has identified a
variant to MyDoom, labeled MyDoom.b, that has a slightly
larger payload than MyDoom.a and targets Microsoft for a DOS
attack to be launched Feb. 1."
http://eletters.eweek.com/zd1/cts?d=...-76115-52635-1
NEW VIRUS CLOGS THE NET

TODAY'S TOP STORY
MyDoom continues to spread at a record pace, slowing networks as
servers pick off copies of the nefarious ZIP file. The virus
carries a payload that threatens to flood SCO's site from
Feb. 1 - Feb. 12, 2004. SCO has offered $250,000 for information
leading to the arrest and conviction of the person or group
responsible for creating the virus.
http://ct.com.com/click?q=0f-RMOlIqj...rupGcHGdkvbWnk

RELATED RESOURCES

* MYDOOM WORM IS BESIEGING SYSTEMS ACROSS THE INTERNET
http://ct.com.com/click?q=8b-SBHBQY0...~M6ODElGUFB8aR

* BE READY TO REACT WHEN AN E-MAIL VIRUS STRIKES
http://ct.com.com/click?q=d7-wkDZQLW...ijfHnkeaJ_kjJU

* DOWNLOAD OUR BASIC VIRUS POWERPOINT PRESENTATION TO EDUCATE
YOUR END USERS
http://ct.com.com/click?q=0f-RMOlIqj...rfpGcHGdkvbWnk

remember Be Safe
-max


'When you have a degree-you don't know everything-just a degree'-Dr Miles
Munroe
This message is virus free as far I can tell
Change nomail.afraid.org to hotmail.com so you can reply
(nomail.afraid.org has been set up specifically for
use in Usenet. Feel free to use it yourself.)

"Tim H." <tekphobia@comcast.net> wrote in message news:7yiSb.182762$xy6.888006@attbi_s02...
Besides, isn't that Dumaru.y ?

"FromTheRafters" <!0000@nomad.fake> wrote in message
news:101jgvcji9tev71@corp.supernews.com...
Oops =) Yes, it's Dumaru.Y. My mind is still in Novarg world.

Btw, I like the email address!

-Tim

On Fri, 30 Jan 2004 03:00:18 GMT, "Tim H." <tekphobia@comcast.net>
wrote:

don't read the post properly.

Taff.............



www.sounds-pa.com | www.thecomputerworkshop.com