RE: Virus? Trojan?Jan 10 2003 03:39PM James C Slora Jr (Jim Slora phra com) (1 replies)
RE: Virus? Trojan?Jan 12 2003 11:39PM Nick FitzGerald (nick virus-l demon co uk) (1 replies)
Re: Virus? Trojan?Jan 13 2003 02:28AM James C. Slora Jr. (Jim Slora phra com)
Nick FitzGerald wrote Sunday, January 12, 2003 6:39 PM
> Yaha.K was discovered before Christmas, and although that machine
> seemed to start spewing out Yaha Email as Yaha.M was first being
> reported, it is not infected with Yaha.M but with Yaha.K as a simple
> anaylsis of the file attached to its Email shows.
Thanks for the correction.
I looked at headers and message text, and I stripped the attachments without
analyzing them.
Headers and message body options are AFAICT the same between K and M and
match no other other circulating worms, based on Trend Micro and Symantec
descriptions. My original determination that the infection was M rather than
K was based on David Gillett's assertion that Norton (unspecified product)
did not detect a worm in the message at a time when definitions detecting K
were already available.
When the new messages arrived, they were apparently more of the same and I
reported them as such. For notification purposes I believe that this
admittedly imprecise analysis was adequate, despite my incorrect conclusion.
For the sake of absolute correctness I should not have specified the
infection as Yaha-M when I had never performed a positive binary analysis of
the attachment - I should have just said maybe "apparently one of the newer
varieties of the Yaha family of worms, based on message headers and text".
> I agree that the sender may be on this list or a frequenter of the
> archives. If you are reading this and are a cable (the "kbl" of
> "kbl-zrz2519.zeelandnet.nl" is, at a guess a contraction of the Dutch
> for "cable")customer of zeelandnet.nl, please head to one of the AV
> sites for a description of Yaha.K (or one of the names above!) and
> find out how to fix it and then do something about getting protected
> so as to reduce the likelihood of becoming infected again.
> > Since the infections are still coming I've notified the administrator of
> > zeelandnet.nl - hopefully they will hunt the user down and help them
clear
> > the infection.
>
> So have I -- the problem is they decided the best action was to
> prevent that IP accessing their mail server:
>
> Thanks for the message.
>
> The user is blocked for outgoing e-mail to block this virus.
>
> As they don't really say how or what they have blocked, and the
> messages keep coming, I guess they have blocked access to their own
> mail servers, which the virus will not try to use except when it
> tries to send itself to an address for which a zeelandnet.nl mail
> server is the mail-exchanger (AFAICT, Yaha.K's SMTP engine tries to
> resolve MX records in the DNS then sends its mail directly to that
> SMTP server rather than relying on any "local" SMTP servers to relay
> for it).
Thanks for sharing their response. I have not received anything from
zeelandnet.nl administrators beyond the initial automated response. I have
also not received any more infected messages from the offender since
submitting the notification (which of course doesn't prove anything).
------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Nick FitzGerald wrote Sunday, January 12, 2003 6:39 PM
> Yaha.K was discovered before Christmas, and although that machine
> seemed to start spewing out Yaha Email as Yaha.M was first being
> reported, it is not infected with Yaha.M but with Yaha.K as a simple
> anaylsis of the file attached to its Email shows.
Thanks for the correction.
I looked at headers and message text, and I stripped the attachments without
analyzing them.
Headers and message body options are AFAICT the same between K and M and
match no other other circulating worms, based on Trend Micro and Symantec
descriptions. My original determination that the infection was M rather than
K was based on David Gillett's assertion that Norton (unspecified product)
did not detect a worm in the message at a time when definitions detecting K
were already available.
When the new messages arrived, they were apparently more of the same and I
reported them as such. For notification purposes I believe that this
admittedly imprecise analysis was adequate, despite my incorrect conclusion.
For the sake of absolute correctness I should not have specified the
infection as Yaha-M when I had never performed a positive binary analysis of
the attachment - I should have just said maybe "apparently one of the newer
varieties of the Yaha family of worms, based on message headers and text".
> I agree that the sender may be on this list or a frequenter of the
> archives. If you are reading this and are a cable (the "kbl" of
> "kbl-zrz2519.zeelandnet.nl" is, at a guess a contraction of the Dutch
> for "cable")customer of zeelandnet.nl, please head to one of the AV
> sites for a description of Yaha.K (or one of the names above!) and
> find out how to fix it and then do something about getting protected
> so as to reduce the likelihood of becoming infected again.
> > Since the infections are still coming I've notified the administrator of
> > zeelandnet.nl - hopefully they will hunt the user down and help them
clear
> > the infection.
>
> So have I -- the problem is they decided the best action was to
> prevent that IP accessing their mail server:
>
> Thanks for the message.
>
> The user is blocked for outgoing e-mail to block this virus.
>
> As they don't really say how or what they have blocked, and the
> messages keep coming, I guess they have blocked access to their own
> mail servers, which the virus will not try to use except when it
> tries to send itself to an address for which a zeelandnet.nl mail
> server is the mail-exchanger (AFAICT, Yaha.K's SMTP engine tries to
> resolve MX records in the DNS then sends its mail directly to that
> SMTP server rather than relying on any "local" SMTP servers to relay
> for it).
Thanks for sharing their response. I have not received anything from
zeelandnet.nl administrators beyond the initial automated response. I have
also not received any more infected messages from the offender since
submitting the notification (which of course doesn't prove anything).
------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
[ reply ]