python script as an emergency mailbox cleaner
John Roth
newsgroups at jhrothjr.com
Sat Sep 20 11:11:09 EDT 2003
"Phil Weldon" <pweldon at mindspring.com> wrote in message
news:ZCZab.45450$Aq2.39773 at newsread1.news.atl.earthlink.net...
> It's a worm. Worm.Automat.AGH. This is going to be a bad one. The worm
> installs, among other things, an SMPT engine, searches an infected system
> for email address, and sends two types of e-mail: the first is HTML and
is
> a fake "security patch" supposedly from Microsoft. It looks very
official,
> but the attachment, 104 KBytes long, is infectious. Norton Antivirus
> definitions only began to identify it with the 18SEP03 manual definition
> update. The worm also posts to usenet newsgroups. The other type of
e-mail
> is a fake notification of undeliverable e-mail. This one is a real bear.
> There seem to be hundreds variations in the body content and thousands of
> variations in the header. The infectious package is also about 104
KBytes.
> I'm getting nearly 100 of the two types per hour. Norton Antivirus does
not
> detect the worm in usnet posts read by Outlook Express Newsreader or
Outlook
> Newsreader. Only when you attempt to open the attachment or save the
> attachment to disk will Norton identify it. Norton will NOT detect the
> virus in the newsgroup posts folder NOR will it detect the newsgroup
folder
> in a full system scan. It will not remove the infected file from the
> newsgroup folder, but it will prevent execution of the vermal payload.
>
> Microsoft Outlook with the SP3 security update when used as your e-mail
> reader protects against infection. Prior to 18SEP03 Norton did not.
>
> The worm is also retrieving additional variations, so you can expect the
> payload size to begin changing soon. The HTML message is easy to
identify;
> it is always the same (so far), and includes the phrase 'Run attached
file'.
> The bogus 'Undeliverable e-mail' variations have no commonality but the
> payload attachment (that purports to be your bounced e-mail.) This will
> likley change soon.
>
> My guess is that the internet will not open on Monday.
So far, I have seen no copies of the worm on usenet. This may be
the result of my paying $$$ to a good usenet provider (Supernews.)
Unfortunately, my e-mail provider got the stupid idea that "delete"
meant "save a complete copy for 14 days just in case you want
to see it." Most of the stuff is going into two mailboxes that I need
to clean out manually every two or three hours (they're not my inbox,
so the POP3 script won't do it.)
It looks like two worms that just happened to hit at one time,
doesn't it?
John Roth
More information about the Python-list
mailing list