[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Yet another version of a worm mass mail? (Paypal.com new year offer)
- To: full-disclosure@lists.netsys.com
- Subject: Re: [Full-Disclosure] Yet another version of a worm mass mail? (Paypal.com new year offer)
- From: Nick FitzGerald <nick@virus-l.demon.co.uk>
- Date: Thu, 15 Jan 2004 22:26:44 +1300
Michael Renzmann <security@dylanic.de> wrote:
> I received a mail which is said to be from Paypal.com (has been sent
> from an IP that is registered to an ISP in Venezuela), subject is
> "PAYPAL.COM NEW YEAR OFFER". Attached is a file called "paypal.zip" that
> contains a file "paypal.exe" (2592 bytes).
>
> Is this yet another variant of a well-known mass mailing worm, or is
> this something new? I saved that mail, so if someone wants to take a
> closer look at it, let me know.
Almost certainly a new downloader (i.e. detected by _very few_ virus
scanners) that was spammed in just the manner you describe earlier
today. Instead of sending the existing (and well-detected) Mimail.P,
someone spammed out this ~2KB downloader which, if run by your typical
victim of such scams would snag a copy of Mimail.P from a Russian web
server and run it on the victim's machine. A few minutes ago the file
at said Russian site was still Mimail.P but it could presumably be
relaced at any time with anything else.
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html