What I can add to this is that Trend Micro wasnt detecting this Toofo.F properly. I called them and they acknowledged they had a problem with the DAT file (many customers called) and would have an update for it by end of day. Our Symantec AV (on the workstations) was picking them up and removing it.

Yes, the source from address was spoofed to look like it came from the user it went to (ie: if it went to John Doh , it came from JDoh), of course the headers where a different story. As of now still no fix from Trend....

-----Original Message-----

From: Dan Denton [mailto:ddenton (at) PAYLESSOFFICE (dot) com [email concealed]]

Sent: Wed 4/20/2005 3:36 PM

To: focus-virus (at) securityfocus (dot) com [email concealed]

Cc:

Subject: New/recent virus outbreak

Have anyone seen any virus infected emails coming from addresses with

usernames identical to those on your own email servers, but from domains

like hotmail.com or netzero.com ? These emails seem to be sent from a

spoofed email address such as example.user (at) netzero (dot) com [email concealed], and are sent to

example.user (at) mydomain (dot) com. [email concealed]

Also, the attached files are always zip files, and have been named

4.zip, 5.zip, 6.zip, and work.zip .

A bounce message from one of our customers suggests they blocked an

email from on of our users that was infected with trojan.tooso.F, but

the emails stopped don't exhibit those characteristics, And even

Symantec's write-up says this virus doesn't send it's own emails.

Is it possible there's a beagle variant that is spreading the Tooso

trojan as part of it's payload? Thanks in advance.

Dan Denton

Information Technology Manager, CCNA

Pay-LESS Office Products

[ reply ]