Bill
Thu Sep 18 20:25:46 CDT 2003
I've not seen either one first-hand, so far--except for the sucker who
published the whole thing with attachments in microsoft.public.mac.rdc
"Michel Gallant" <neutron@istar.ca> wrote in message
news:ujjH$xkfDHA.576@tk2msftngp13.phx.gbl...
> The failure delivery notice is interesting .. it looks like a multi
> part message (source) formed like:
>
> Content-Type: audio/x-midi; name="degpi.exe"
> Content-Transfer-Encoding: base64
> Content-Id: <ntdvubxdyzf>
> <large block of b64 data of unknown effect>
>
> however, I won't dig any deeper than that :-)
>
> - Michel Gallant
> MVP Security
>
> "Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> wrote in message
> news:%23IKURwkfDHA.1712@TK2MSFTNGP11.phx.gbl...
> > These are infected as well.
> >
> > Some a/v engines call these worm.automat.Axx (where xx varies)
> > but others seem to see it as Swen--I suspect they are the same critter,
one
> > title given by heuristics, the other by pattern recognition.
> >
> >
http://www.microsoft.com/technet/security/virus/alerts/swen.asp
> >
> > "Richard Mueller" <rlmueller@ameritech.net> wrote in message
> > news:09dc01c37e49$39258b20$a101280a@phx.gbl...
> > > Hi,
> > >
> > > What about the mail delivery failure notices? Are they
> > > infected? When you open the message (there is no
> > > attachment) it tries to run a script. The source code has:
> > >
> > > <iframe src="cid:kewjat" height=0 width=0></iframe>
> > >
> > > where "kewjat" varies with each message (I have lots of
> > > examples). Is this trying to run code?
> > >
> > > See:
> > >
> > >
http://securityresponse.symantec.com/avcenter/venc/data/w32
> > > .swen.a@mm.html
> > >
> > > Richard
> > > Microsoft MVP Scriping and ADSI
> > > >-----Original Message-----
> > > >Thanks for the alert. Hopefully folks will read your
> > > >thread about this issue.
> > > >
> > > >I also wanted to let everyone know that Microsoft does
> > > >NOT will email unsolicited security patches. Any mail
> > > >you receive that contains a file saying that it is a
> > > >patch, or an emai that says "click here" to receive the
> > > >patch, etc. did not come from Microsoft.
> > > >
> > > >Rather, it appears you received the email resulting from
> > > >another computer (not yours) being invected by a mass
> > > >emailing worm. The two most widely-known are:
> > > >
> > > >W32.Gibe_mm
> > > >
http://securityresponse.symantec.com/avcenter/venc/data/w3
> > > >2.gibe@mm.html
> > > >
> > > >W32.Dumaru_mm
> > > >
http://securityresponse.symantec.com/avcenter/venc/data/w3
> > > >2.dumaru@mm.html
> > > >
> > > >Information on Bogus Microsoft Security Bulletin Emails
> > > >
http://www.microsoft.com/technet/treeview/default.asp?
> > > >url=/technet/security/news/patch_hoax.asp
> > > >
> > > >Any and all legitimate patches and updates are readily
> > > >available at
http://windowsupdate.microsoft.com/. For
> > > >easy access, just start WindowsUpdate on your computer
> > > >and it will hook to the official Microsoft site to
> > > >provide you with access to patches and updates from
> > > >Microsoft.
> > > >
> > > >Kathy Prince
> > > >Program Manager
> > > >Microsoft Support Lifecycle & Security
> > > >
> > > >This posting is provided "AS IS" with no warranties, and
> > > >confers no rights.
> > > >
> > > >
> > > >>-----Original Message-----
> > > >>Messages being supposedly from Microsoft Security with
> > > >>attachments are infected with the W32.Sven.a@mm virus.
> > > >>This payload is not repairable. I have received two so
> > > >>far today...I submitted the files to Symantec and they
> > > >>identified the virus. Both emails seemed to originate on
> > > >>the earthlink dialup network....here is the header from
> > > >>one:
> > > >> Received: from source ([207.217.120.123]) by
> > > >>exprod5mx57.postini.com ([12.158.34.245]) with SMTP;
> > > >> Thu, 18 Sep 2003 22:30:08 GMT
> > > >>Received: from pool0213.cvx34-
> > > >bradley.dialup.earthlink.net
> > > >>([216.244.6.213] helo=ielu)
> > > >> by swan.mail.pas.earthlink.net with smtp (Exim
> > > >>3.33 #1)
> > > >> id 1A07CF-0000N3-00; Thu, 18 Sep 2003 15:24:19 -
> > > >>0700
> > > >>and here is the other:
> > > >>Received: from server2.portal.shadowsnetwork.com
> > > >>[192.168.0.5] by server2.portal.shadowsnetwork.com
> > > >> (ArGoSoft Mail Server Pro for WinNT/2000/XP, Version
> > > >1.8
> > > >>(1.8.4.0)); Thu, 18 Sep 2003 14:46:36 -0700
> > > >>Received: from user-119bv46.biz.mindspring.com
> > > >>([66.149.252.134] helo=lfgnmwxr)
> > > >> by snipe.mail.pas.earthlink.net with smtp (Exim
> > > >>3.33 #1)
> > > >> id 1A06Ya-0003Rc-00; Thu, 18 Sep 2003 14:43:20 -
> > > >>0700
> > > >>Beware!!!! Don't open them
> > > >>.
> > > >>
> > > >.
> > > >
> >
> >
>
>