Watch out for this new e-mail worm

greenspun.com : LUSENET : Current News - Homefront Preparations : One Thread

This just came across from our security guy - hope the formatting comes across

From: llittle@trusecure.com [mailto:llittle@trusecure.com] Sent: Monday, January 28, 2002 7:42 AM Subject: FW: TruSecure ALERT- TSA 02-001 - W32/MyParty - TruSecure Malicious Code ALERT

THIS JUST HIT EARLY, EARLY THIS AM, "MY PARTY" MicroSoft Outlook vulnerability, Larry Little

TruSecure ALERT- TSA 02-001 - W32/MyParty - TruSecure Malicious Code ALERT

Names: W32/MyParty-A, W32/Myparty@mm, W32.Myparty@mm

Type: Win32 executable mass-mailing worm

Date: January 28, 2002 Time: 1210 GMT

Initial Assessment: IMPORTANT Threat: Medium (many sites are experiencing multiple hits from this

Vulnerability Prevalence: Low for TruSecure Sites Clients (filtering on .com attachments) Medium to High for others and home users

Cost: Medium to low (no payload)

TruSecure has detected a new worm that sends itself to the Windows address book and the Outlook address book.

The worm uses a static attachment name of "www.myparty.yahoo.com" Without the quotes) Users unwittingly double click on the attachment name thinking it is a URL. The worm uses a static Subject and message body:

Subject: new photos from my party!

Message text:

Hello! My party... It was absolutely amazing! I have attached my web page with new photos! If you can please make color prints of my photos. Thanks!

The attachment is 29,696 bytes in size. It does not contain an icon, thus the icon appears to be an MS-DOS box/program in those mail clients that display the attachment's icon.

The worm has it's own SMTP engine and uses the SMTP settings found at this registry key to send itself: HKCU\Software\Microsoft\Internet AccountManager\Accounts\00000001

The worm also sends an e-mail to: napster@gala.net, possibly for the virus author to track it's spread.

MITIGATIONS: Based upon the TruSecure Anti-Virus Policy Guide, TruSecure customers should already have filters in place to block these types of attachments and therefore should not have a serious risk. Home users or others without filtering rules are at the greatest risk. TruSecure customers should check to ensure that the correct filter rules are in place and to update gateway scanners as appropriate.

For this virus *.com

Additional mitigations include:

1. Update AV signatures 2. Use Outlook security patch

3...Disable at web proxy corporate browser access to web based email systems like Hotmail, Yahoo Mail...etc.

4. Monitor outbound mail logs for messages sent to: napster@gala.net to detect infections that avoided corporate inbound mail filters.

COMMUNICATION:

Please contact your TruSecure analyst if you have any questions or if you have an actual infection from this worm.

TruSecure Corporation provides information security assurance services including TruSecure(tm) which significantly reduces the likelihood of participating companies having information security breaches in six areas of risk: Electronic (hacking and related) risk, Malicious Code (virus, Trojan worm and related) risk, Privacy risk, Downtime risk, Physical risk and Human Factors risk. See www.trusecure.com for further information on these services.

DISCLAIMER: Copyright 2002 TruSecure Corporation. All rights reserved. This Alert is the property of the TruSecure Corporation. It may not be redistributed except within your own company or organization. This Alert is being provided for informational purposes only and is provided AS IS." The TruSecure Corporation makes no warranties of any kind, express or implied, including, but not limited to warranties of merchantability, fitness for a particular purpose, non-infringement, and warranties arising out of any course of dealing or course of conduct.

Impenetrable security is unattainable in real world environments; the TruSecure Corporation cannot and does not guarantee protection against breaches of security.

-- Anonymous, January 28, 2002

Answers

geez! what a hassle!

-- Anonymous, January 28, 2002

I received another alert about this from another friend.

To: All Personnel cc:

Subject: FW: New Virus

I just verified this to be a real virus. Those who use Outlook for their personal E-mail need to read this carefully to avoid opening the virus if it is sent to you.

---------------------- Forwarded by XXXXXXXXXXXXX on 01/28/2002 11:37 AM ---------------------------

"XXX" on 01/28/2002 11:35:57 AM

To: XXXXXXXX cc:

Subject: FW: New Virus

> -----Original Message----- > From: XXXXXXX > Sent: Monday, January 28, 2002 10:53 AM > To: All E-mail Users > Subject: New Virus > > A new Virus was discovered in Europe this morning and it has already made > its way to the US and to our e-mail Server. If you receive the following > described e-mail, please delete it immediately from your in-box and > deleted items folder. DO NOT OPEN THE ATTACHMENT OR GO TO THE WEB SITE. If > you have already opened, please contact the help desk immediately at > xxx-xxxx. > > Subject: New photos from my party > > Body: My party.....It was absolutely amazing. I have attached my web page > with new photos. If you can please make color prints of my > photos....Thanks

-- Anonymous, January 28, 2002


Now, if are receiving your emails through AOL, I'm betting they already have their own filters set up to intercept and stop this one.

-- Anonymous, January 28, 2002

This one must be pretty wide spread cause I got sent it today and I almost never get them..........my Norton's caught and isolated it, thank goodness.

-- Anonymous, January 28, 2002

I have had 3 viruses sent but caught in 3 days..all from spams, and not real people. Thank goodness the AV are stopping them.

-- Anonymous, January 28, 2002


Moderation questions? read the FAQ