RE: Worm.SCO.AJan 29 2004 06:00PM Shawn Jackson (sjackson horizonusa com)
Worm.SCO.A maps to Novarg (F-Secure), W32.Novarg.A@mm (Symantec),
W32/Mydoom.a@MM, Win32.Mydoom.A (CA), Win32/Shimg (CA), WORM_MIMAIL.R
(Trend). It is not a MIMAIL variant as Trend Micro suspected so AV DEF
looking for MIMAIL and the ilk will miss the virii. I haven't received
any Mydoom.B virii so I don't know what ClamAV will call that
(Worm.SCO.B or Worm.MICROSOFT.A, whatever).
Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521
>From: "Shawn Jackson" <sjackson (at) horizonusa (dot) com [email concealed]>
>To: <security-basics (at) securityfocus (dot) com [email concealed]>
>Subject: Worm.SCO.A
>Date: Mon, 26 Jan 2004 14:38:23 -0800
>MIME-Version: 1.0
>Received: from outgoing2.securityfocus.com ([205.206.231.26]) by
>mc8-f31.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Wed, 28 Jan
2004
>00:55:31 -0800
>Received: from lists.securityfocus.com (lists.securityfocus.com
>[205.206.231.19])by outgoing2.securityfocus.com (Postfix) with QMQPid
>796F08F81A; Tue, 27 Jan 2004 10:41:15 -0700 (MST)
>Received: (qmail 26490 invoked from network); 26 Jan 2004 23:04:45
-0000
>X-Message-Info: 6sSXyD95QpVARocLih1tSEi4bFjjlIQ9
>Mailing-List: contact security-basics-help (at) securityfocus (dot) com [email concealed]; run by
ezmlm
>Precedence: bulk
>List-Id: <security-basics.list-id.securityfocus.com>
>List-Post: <mailto:security-basics (at) securityfocus (dot) com [email concealed]>
>List-Help: <mailto:security-basics-help (at) securityfocus (dot) com [email concealed]>
>List-Unsubscribe:
<mailto:security-basics-unsubscribe (at) securityfocus (dot) com [email concealed]>
>List-Subscribe: <mailto:security-basics-subscribe (at) securityfocus (dot) com [email concealed]>
>Delivered-To: mailing list security-basics (at) securityfocus (dot) com [email concealed]
>Delivered-To: moderator for security-basics (at) securityfocus (dot) com [email concealed]
>content-class: urn:content-classes:message
>X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
>Message-ID: <EA4A7785EECF644493D88EB58A80992D8DFA9C (at) hzmail.horizon (dot) lcl [email concealed]>
>X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Worm.SCO.A
>Thread-Index: AcPkUphWt8utkfEfQyGl0VstP6ZDrwAAr/nwAAGI2jA=
>X-Virus-Scanned: HorizonUSA Mail Security System
>Return-Path:
>security-basics-return-26478-koremeltdown=hotmail.com (at) securityfocus (dot) com [email concealed]
>X-OriginalArrivalTime: 28 Jan 2004 08:55:31.0563 (UTC)
>FILETIME=[7C00ABB0:01C3E57C]
>
>
> Anyone else encountering this? I've just got hammered with a few
>hundred of these in the last hour and a half and I can't quite discern
>what exactly the virii is. There doesn't seam to be a map from ClamAV
>virus naming format to any other. Anyone have a clue of what this virus
>is?
>
> I looked at the quarantine, and it seamed to be just the virii
payload
>and no content, file.pif.exe. I've also seen it as a file.zip, doc.zip,
>document.zip, document.pif, rhn.scr, data.zip, message.zip, test.zip.
>There could be more, but I just don't have the time to check the
>payload on all the messages.
>
>-------------------AMAVIS REPORT------------------
>A virus (Worm.SCO.A) was found.
>
>Two banned names (file.pif, .exe) were found.
>
>Scanner detecting a virus: Clam Antivirus-clamd
>
>The mail originated from: <ctccyc (at) aol (dot) com [email concealed]>
>
>According to the 'Received:' trace, the message originated at:
> aol.com (unknown [12.9.171.xxx])
>
>The message WAS NOT delivered to:
><xxx (at) horizonusa (dot) com [email concealed]>:
> 550 5.7.1 Message content rejected, id=28441-07 - VIRUS: Worm.SCO.A
>
>Virus scanner output:
> /var/amavisd/tmp/amavis-20040126T141220-28441/parts/part-00002:
>Worm.SCO.A FOUND
>
>The message has been quarantined as:
> /var/amavisd/quarantine/virus-20040126-141800-28441-07
>
>------------------------- BEGIN HEADERS -----------------------------
>Return-Path: <xxxxx (at) aol (dot) com [email concealed]>
>Received: from aol.com (unknown [12.9.171.xxx])
> by mta1.horizonusa.com (Postfix) with ESMTP id DFA572D8106
> for <ted (at) horizonusa (dot) com [email concealed]>; Mon, 26 Jan 2004 14:17:59 -0800 (PST)
>From: xxxx (at) aol (dot) com [email concealed]
>To: xxx (at) horizonusa (dot) com [email concealed]
>Subject:
>Date: Mon, 26 Jan 2004 14:17:47 -0800
>MIME-Version: 1.0
>Content-Type: multipart/mixed;
> boundary="----=_NextPart_000_0010_465EEF13.4CF1817C"
>X-Priority: 3
>X-MSMail-Priority: Normal
>Message-Id: <20040126221759.DFA572D8106 (at) mta1.horizonusa (dot) com [email concealed]>
>-------------------------- END HEADERS ------------------------------
>
>Shawn Jackson
>Systems Administrator
>Horizon USA
>1190 Trademark Dr #107
>Reno NV 89521
>
>www.horizonusa.com
>Email: sjackson (at) horizonusa (dot) com [email concealed]
>Phone: (775) 858-2338
> (800) 325-1199 x338
>
>-----------------------------------------------------------------------
>----
>Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off
any
>course! All of our class sizes are guaranteed to be 10 students or
less.
>We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion
Prevention,
>and many other technical hands on courses.
>Visit us at http://www.infosecinstitute.com/securityfocus to get $720
off
>any course!
>-----------------------------------------------------------------------
-----
>
_________________________________________________________________
Find high-speed 'net deals - comparison-shop your local providers here.
https://broadband.msn.com
---
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off
any
course! All of our class sizes are guaranteed to be 10 students or less.
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion
Prevention,
and many other technical hands on courses.
Visit us at http://www.infosecinstitute.com/securityfocus to get $720
off
any course!
------------------------------------------------------------------------
----
------------------------------------------------------------------------
---
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
course! All of our class sizes are guaranteed to be 10 students or less.
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
and many other technical hands on courses.
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
any course!
------------------------------------------------------------------------
----
W32/Mydoom.a@MM, Win32.Mydoom.A (CA), Win32/Shimg (CA), WORM_MIMAIL.R
(Trend). It is not a MIMAIL variant as Trend Micro suspected so AV DEF
looking for MIMAIL and the ilk will miss the virii. I haven't received
any Mydoom.B virii so I don't know what ClamAV will call that
(Worm.SCO.B or Worm.MICROSOFT.A, whatever).
Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521
www.horizonusa.com
Email: sjackson (at) horizonusa (dot) com [email concealed]
Phone: (775) 858-2338
(800) 325-1199 x338
-----Original Message-----
From: Hamish Stanaway [mailto:koremeltdown (at) hotmail (dot) com [email concealed]]
Sent: Wednesday, January 28, 2004 2:05 AM
To: Shawn Jackson; security-basics (at) securityfocus (dot) com [email concealed]
Subject: RE: Worm.SCO.A
Hi there,
I just wanted to let Shawn and others know that you are not alone, I too
have recieved several copies of this mail in the past 24 hours, and am
beginning to wonder what it is.
Kindest of regards,
Hamish Stanaway
Absolute Web Hosting
Owner/Operator
Auckland
New Zealand
http://www.webhosting.net.nz
http://www.buywebhosting.co.nz
>From: "Shawn Jackson" <sjackson (at) horizonusa (dot) com [email concealed]>
>To: <security-basics (at) securityfocus (dot) com [email concealed]>
>Subject: Worm.SCO.A
>Date: Mon, 26 Jan 2004 14:38:23 -0800
>MIME-Version: 1.0
>Received: from outgoing2.securityfocus.com ([205.206.231.26]) by
>mc8-f31.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Wed, 28 Jan
2004
>00:55:31 -0800
>Received: from lists.securityfocus.com (lists.securityfocus.com
>[205.206.231.19])by outgoing2.securityfocus.com (Postfix) with QMQPid
>796F08F81A; Tue, 27 Jan 2004 10:41:15 -0700 (MST)
>Received: (qmail 26490 invoked from network); 26 Jan 2004 23:04:45
-0000
>X-Message-Info: 6sSXyD95QpVARocLih1tSEi4bFjjlIQ9
>Mailing-List: contact security-basics-help (at) securityfocus (dot) com [email concealed]; run by
ezmlm
>Precedence: bulk
>List-Id: <security-basics.list-id.securityfocus.com>
>List-Post: <mailto:security-basics (at) securityfocus (dot) com [email concealed]>
>List-Help: <mailto:security-basics-help (at) securityfocus (dot) com [email concealed]>
>List-Unsubscribe:
<mailto:security-basics-unsubscribe (at) securityfocus (dot) com [email concealed]>
>List-Subscribe: <mailto:security-basics-subscribe (at) securityfocus (dot) com [email concealed]>
>Delivered-To: mailing list security-basics (at) securityfocus (dot) com [email concealed]
>Delivered-To: moderator for security-basics (at) securityfocus (dot) com [email concealed]
>content-class: urn:content-classes:message
>X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
>Message-ID: <EA4A7785EECF644493D88EB58A80992D8DFA9C (at) hzmail.horizon (dot) lcl [email concealed]>
>X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Worm.SCO.A
>Thread-Index: AcPkUphWt8utkfEfQyGl0VstP6ZDrwAAr/nwAAGI2jA=
>X-Virus-Scanned: HorizonUSA Mail Security System
>Return-Path:
>security-basics-return-26478-koremeltdown=hotmail.com (at) securityfocus (dot) com [email concealed]
>X-OriginalArrivalTime: 28 Jan 2004 08:55:31.0563 (UTC)
>FILETIME=[7C00ABB0:01C3E57C]
>
>
> Anyone else encountering this? I've just got hammered with a few
>hundred of these in the last hour and a half and I can't quite discern
>what exactly the virii is. There doesn't seam to be a map from ClamAV
>virus naming format to any other. Anyone have a clue of what this virus
>is?
>
> I looked at the quarantine, and it seamed to be just the virii
payload
>and no content, file.pif.exe. I've also seen it as a file.zip, doc.zip,
>document.zip, document.pif, rhn.scr, data.zip, message.zip, test.zip.
>There could be more, but I just don't have the time to check the
>payload on all the messages.
>
>-------------------AMAVIS REPORT------------------
>A virus (Worm.SCO.A) was found.
>
>Two banned names (file.pif, .exe) were found.
>
>Scanner detecting a virus: Clam Antivirus-clamd
>
>The mail originated from: <ctccyc (at) aol (dot) com [email concealed]>
>
>According to the 'Received:' trace, the message originated at:
> aol.com (unknown [12.9.171.xxx])
>
>The message WAS NOT delivered to:
><xxx (at) horizonusa (dot) com [email concealed]>:
> 550 5.7.1 Message content rejected, id=28441-07 - VIRUS: Worm.SCO.A
>
>Virus scanner output:
> /var/amavisd/tmp/amavis-20040126T141220-28441/parts/part-00002:
>Worm.SCO.A FOUND
>
>The message has been quarantined as:
> /var/amavisd/quarantine/virus-20040126-141800-28441-07
>
>------------------------- BEGIN HEADERS -----------------------------
>Return-Path: <xxxxx (at) aol (dot) com [email concealed]>
>Received: from aol.com (unknown [12.9.171.xxx])
> by mta1.horizonusa.com (Postfix) with ESMTP id DFA572D8106
> for <ted (at) horizonusa (dot) com [email concealed]>; Mon, 26 Jan 2004 14:17:59 -0800 (PST)
>From: xxxx (at) aol (dot) com [email concealed]
>To: xxx (at) horizonusa (dot) com [email concealed]
>Subject:
>Date: Mon, 26 Jan 2004 14:17:47 -0800
>MIME-Version: 1.0
>Content-Type: multipart/mixed;
> boundary="----=_NextPart_000_0010_465EEF13.4CF1817C"
>X-Priority: 3
>X-MSMail-Priority: Normal
>Message-Id: <20040126221759.DFA572D8106 (at) mta1.horizonusa (dot) com [email concealed]>
>-------------------------- END HEADERS ------------------------------
>
>Shawn Jackson
>Systems Administrator
>Horizon USA
>1190 Trademark Dr #107
>Reno NV 89521
>
>www.horizonusa.com
>Email: sjackson (at) horizonusa (dot) com [email concealed]
>Phone: (775) 858-2338
> (800) 325-1199 x338
>
>-----------------------------------------------------------------------
>----
>Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off
any
>course! All of our class sizes are guaranteed to be 10 students or
less.
>We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion
Prevention,
>and many other technical hands on courses.
>Visit us at http://www.infosecinstitute.com/securityfocus to get $720
off
>any course!
>-----------------------------------------------------------------------
-----
>
_________________________________________________________________
Find high-speed 'net deals - comparison-shop your local providers here.
https://broadband.msn.com
------------------------------------------------------------------------
---
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off
any
course! All of our class sizes are guaranteed to be 10 students or less.
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion
Prevention,
and many other technical hands on courses.
Visit us at http://www.infosecinstitute.com/securityfocus to get $720
off
any course!
------------------------------------------------------------------------
----
------------------------------------------------------------------------
---
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
course! All of our class sizes are guaranteed to be 10 students or less.
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
and many other technical hands on courses.
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
any course!
------------------------------------------------------------------------
----
[ reply ]