Yes. And many of the recipient addresses are munged or otherwise invalid
addresses that tend to receive a lot of spam.
F-Secure's weblog reported "the sample appears to a variant of Mitglieder
trojan that is closely related to Bagle. It doesn't have replication
mechanism of its own, so it was probably spammed out using some other proxy
trojans or a new Bagle worm variant".
http://www.f-secure.com/weblog/
Virustotal.com reports that many AV vendors call it a Bagle variant,
Symantec calls the trojan Trojan.Tooso.F, and F-Prot calls it Mitglieder.
Trend Micro is naming the mass-mailing component WORM_BAGLE.xx, and the
dropped trojan TROJ_BAGLE.xx.
- Siobhan
Siobhan Jackson
WA State AG's Office
-----Original Message-----
From: Dan Denton [mailto:ddenton (at) PAYLESSOFFICE (dot) com [email concealed]]
Sent: Wednesday, April 20, 2005 12:37 PM
To: focus-virus (at) securityfocus (dot) com [email concealed]
Subject: New/recent virus outbreak
Have anyone seen any virus infected emails coming from addresses with
usernames identical to those on your own email servers, but from domains
like hotmail.com or netzero.com ? These emails seem to be sent from a
spoofed email address such as example.user (at) netzero (dot) com [email concealed], and are sent to
example.user (at) mydomain (dot) com. [email concealed]
Also, the attached files are always zip files, and have been named
4.zip, 5.zip, 6.zip, and work.zip .
A bounce message from one of our customers suggests they blocked an
email from on of our users that was infected with trojan.tooso.F, but
the emails stopped don't exhibit those characteristics, And even
Symantec's write-up says this virus doesn't send it's own emails.
Is it possible there's a beagle variant that is spreading the Tooso
trojan as part of it's payload? Thanks in advance.
Dan Denton
Information Technology Manager, CCNA
Pay-LESS Office Products
addresses that tend to receive a lot of spam.
F-Secure's weblog reported "the sample appears to a variant of Mitglieder
trojan that is closely related to Bagle. It doesn't have replication
mechanism of its own, so it was probably spammed out using some other proxy
trojans or a new Bagle worm variant".
http://www.f-secure.com/weblog/
Virustotal.com reports that many AV vendors call it a Bagle variant,
Symantec calls the trojan Trojan.Tooso.F, and F-Prot calls it Mitglieder.
Trend Micro is naming the mass-mailing component WORM_BAGLE.xx, and the
dropped trojan TROJ_BAGLE.xx.
- Siobhan
Siobhan Jackson
WA State AG's Office
-----Original Message-----
From: Dan Denton [mailto:ddenton (at) PAYLESSOFFICE (dot) com [email concealed]]
Sent: Wednesday, April 20, 2005 12:37 PM
To: focus-virus (at) securityfocus (dot) com [email concealed]
Subject: New/recent virus outbreak
Have anyone seen any virus infected emails coming from addresses with
usernames identical to those on your own email servers, but from domains
like hotmail.com or netzero.com ? These emails seem to be sent from a
spoofed email address such as example.user (at) netzero (dot) com [email concealed], and are sent to
example.user (at) mydomain (dot) com. [email concealed]
Also, the attached files are always zip files, and have been named
4.zip, 5.zip, 6.zip, and work.zip .
A bounce message from one of our customers suggests they blocked an
email from on of our users that was infected with trojan.tooso.F, but
the emails stopped don't exhibit those characteristics, And even
Symantec's write-up says this virus doesn't send it's own emails.
Is it possible there's a beagle variant that is spreading the Tooso
trojan as part of it's payload? Thanks in advance.
Dan Denton
Information Technology Manager, CCNA
Pay-LESS Office Products
[ reply ]