| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> RE: Re[2]: Your password! It's S New Worm W32/Frethem.K@mm
It's a new one not KLEZ ...
-----BEGIN PGP SIGNED MESSAGE-----
A number of people have received email from contacts at other sites
with the subject line "Your Password!"
This is a new email-based worm that hit many European High Energy Physics sites earlier today and is now affecting sites in the US. The anti-virus companies have updates available soon, but in the meantime the SLAC email gateway has stripped on the order of 600 infected email attachments destined to SLAC users. At this time, we have no reports of infection within SLAC and we should remain safe even from those who infect their own machines by reading email from non-SLAC sources (home insititutions, Yahoo, Hotmail, etc.) and then executing the "Decrypt-password.exe" file.
Here is a quote from the CIAC "Heads-Up" on this latest worm ...
There are reports this morning of DOE sites being hit by the W32/Frethem.K_at_mm worm. The worm uses its own SMTP engine to send itself to email addresses that it finds in the Microsoft Windows Address Book and in .dbx, .wab, .mbx, .eml, and .mdb files. The email message arrives with the following characteristics:
Subject: Re: Your Password!
Attachments: Decrypt-password.exe and Password.txt
Size of attachment: 48,640 bytes
The affected systems are Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, and Windows ME.
The worm exploits the "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" vulnerability (CIAC Bulletin L-066) in Microsoft Internet Explorer (version 5.01 or 5.5 without SP2).
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4
iQCVAwUBPTMKjF1NwfDT0XdRAQGAMQP/YXjQ8xz4XnRk02OYyrGKzDSQEaIOBm/Y
H19u0QJ9t68UH8bpOf3uGtZFNV4koieizW2d39/Eiyl/HKzuPa7tkjR+QE/CFvjX
RMg2XkYwbL1fuNyVDqjbPP400G/rYPAHnOjWEtUtXjPKrZnKT+IbPJUTQHjPGkJR
jEa9o/Sejws=
=vrs9
-----END PGP SIGNATURE-----
-----Original Message-----
From: dgoulet_at_vicr.com [mailto:dgoulet_at_vicr.com]
Sent: Monday, July 15, 2002 9:08 AM
To: Multiple recipients of list ORACLE-L
Bunyamin,
Did you pick up a copy of worm_klez somewhere?
Dick Goulet
____________________Reply Separator____________________ Author: bunyamink_at_havelsan.com.tr Date: 7/15/2002 6:53 AM
<HTML><HEAD></HEAD><BODY>
<FONT COLOR˙F0000>
<b>ATTENTION!</b><br><br>
You can access<br>
<b>very important</b><br>
information by<br>
this password<br><br>
<b>DO NOT SAVE</b><br>
password to disk<br>
use your mind<br><br>
now press<br>
<b>cancel</b><br><br>
(Bunyamin Karadeniz)</font></BODY></HTML>
-- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: dgoulet_at_vicr.com Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: MacGregor, Ian A. INET: ian_at_SLAC.Stanford.EDU Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).Received on Mon Jul 15 2002 - 16:49:53 CDT
 |
 |