OT: Re: python script as an emergency mailbox cleaner
netvegetable
netvegetable at fastmail.fm
Sun Sep 21 02:42:35 EDT 2003
On Sat, 20 Sep 2003 14:37:45 +0000, Phil Weldon wrote:
> It's a worm. Worm.Automat.AGH. This is going to be a bad one. The worm
> installs, among other things, an SMPT engine, searches an infected system
> for email address, and sends two types of e-mail: the first is HTML and
> is a fake "security patch" supposedly from Microsoft. It looks very
> official, but the attachment, 104 KBytes long, is infectious. Norton
> Antivirus definitions only began to identify it with the 18SEP03 manual
> definition update. The worm also posts to usenet newsgroups. The other
> type of e-mail is a fake notification of undeliverable e-mail. This one
> is a real bear. There seem to be hundreds variations in the body content
> and thousands of variations in the header. The infectious package is also
> about 104 KBytes. I'm getting nearly 100 of the two types per hour.
> Norton Antivirus does not detect the worm in usnet posts read by Outlook
> Express Newsreader or Outlook Newsreader. Only when you attempt to open
> the attachment or save the attachment to disk will Norton identify it.
> Norton will NOT detect the virus in the newsgroup posts folder NOR will it
> detect the newsgroup folder in a full system scan. It will not remove the
> infected file from the newsgroup folder, but it will prevent execution of
> the vermal payload.
>
> Microsoft Outlook with the SP3 security update when used as your e-mail
> reader protects against infection. Prior to 18SEP03 Norton did not.
>
> The worm is also retrieving additional variations, so you can expect the
> payload size to begin changing soon. The HTML message is easy to
> identify; it is always the same (so far), and includes the phrase 'Run
> attached file'. The bogus 'Undeliverable e-mail' variations have no
> commonality but the payload attachment (that purports to be your bounced
> e-mail.) This will likley change soon.
>
> My guess is that the internet will not open on Monday.
The worm uses newsgroup info from Outlook Express as well.
What's to stop a worm from retrieving header file info, and using the NNTP
posting header to actually hack people's computers?
--
to email me remove underscore _
death to spammers
More information about the Python-list
mailing list