Return-Path: <sentto-279987-2549-1001914007-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Sun, 30 Sep 2001 22:28:07 -0700 (PDT) Received: (qmail 31951 invoked by uid 510); 1 Oct 2001 05:26:57 -0000 Received: from n1.groups.yahoo.com (216.115.96.51) by 204.181.12.215 with SMTP; 1 Oct 2001 05:26:57 -0000 X-eGroups-Return: sentto-279987-2549-1001914007-fc=all.net@returns.onelist.com Received: from [10.1.4.55] by hh.egroups.com with NNFMP; 01 Oct 2001 05:26:47 -0000 X-Sender: fc@big.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-7_4_1); 1 Oct 2001 05:26:47 -0000 Received: (qmail 56552 invoked from network); 1 Oct 2001 05:26:46 -0000 Received: from unknown (10.1.10.26) by l9.egroups.com with QMQP; 1 Oct 2001 05:26:46 -0000 Received: from unknown (HELO big.all.net) (65.0.156.78) by mta1 with SMTP; 1 Oct 2001 05:26:46 -0000 Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id WAA20344 for iwar@onelist.com; Sun, 30 Sep 2001 22:26:46 -0700 Message-Id: <200110010526.WAA20344@big.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL1] From: Fred Cohen <fc@all.net> Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Sun, 30 Sep 2001 22:26:46 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:Trojan.Horse.Disguised.as.Message.from.SecurityFocus.and.TrendMicro] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit It has come to our attention that a message claiming to come from SecurityFocus' ARIS system and TrendMicro is being used to deliver what looks like a trojan horse to unsuspecting users. These messages do not come from us or TrendMicro, as a quick check of the headers will reveal. The messages come with an executable attachment named FIX_NIMDA.exe. Do *NOT* run this attachment. The name is similar to the one used by TrendMicro for their free Nimda removal tool (FIX_NIMDA.com). To say the least we haven't ever sent out any type of executable attachment claiming to be a fix to any worm or vulnerability. And we certainly don't end out email using the brain dead multipart/alternative MIME type. We are still trying to determine what the code does. At first flag it appears to include some type of zip file that when run creates a directory with the called FIX_NIMDA, with the files FIX_NIMDA.exe, readme.txt, SLIDE.DAT, and slide.exe. The readme.txt file is copy of the file distributed by TrendMicro with the their free Nimda disinfection tool. The FIX_NIMDA.exe file is not the same as TrendMicro's but it appears to attempt to deceive the user by printout out some output that makes it appear like it working as advertised. Bellow you can find a sample of the fake message being used to transmit this trojan. If you have receive a similar message we would like to hear from you. Common sense and best practices indicates that you should not execute any code that come via email unless you can authenticate the source of the message. Sadly, as previous worms make all to clear the will be always people that do not follow safe computing practices. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Get your FREE VeriSign guide to security solutions for your web site: encrypting transactions, securing intranets, and more! http://us.click.yahoo.com/UnN2wB/m5_CAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:53 PST