Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: finding pasword emails. Virus ???

RE: finding pasword emails. Virus ???

From: Ron Rogers <RROGERS_at_galottery.org>
Date: Thu, 18 Jul 2002 13:58:25 -0800
Message-ID: <F001.0049C0BB.20020718135825@fatcity.com> 





from an earlier email notification...IT IS A VIRUS




>>> ian_at_SLAC.Stanford.EDU 07/15/02 05:49PM >>>

It's a new one not KLEZ ...


-----BEGIN PGP SIGNED MESSAGE-----


A number of people have received email from contacts at other sites
with the subject line "Your Password!"



This is a new email-based worm that hit many European High Energy
Physics sites earlier today and is now affecting sites in the US. 
The anti-virus companies have updates available soon, but in the
meantime the SLAC email gateway has stripped on the order of 600
infected email attachments destined to SLAC users.  At this time, we
have no reports of infection within SLAC and we should remain safe
even from those who infect their own machines by reading email from
non-SLAC sources (home insititutions, Yahoo, Hotmail, etc.) and then
executing the "Decrypt-password.exe" file.



Here is a quote from the CIAC "Heads-Up" on this latest worm ...



   There are reports this morning of DOE sites being hit 
   by the W32/Frethem.K_at_mm worm.  The worm uses its own 
   SMTP engine to send itself to email addresses that it 
   finds in the Microsoft Windows Address Book and in .dbx, 
   .wab, .mbx, .eml, and .mdb files. The email message 
   arrives with the following characteristics:



    Subject: Re: Your Password!


    Attachments: Decrypt-password.exe and Password.txt
    Size of attachment:  48,640 bytes



   The affected systems are Windows 95, Windows 98, 
   Windows NT, Windows 2000, Windows XP, and Windows ME.



   The worm exploits the "Incorrect MIME Header Can Cause 
   IE to Execute E-mail Attachment" vulnerability (CIAC 
   Bulletin L-066) in Microsoft Internet Explorer 
   (version 5.01 or 5.5 without SP2).





-----BEGIN PGP SIGNATURE-----



Version: PGP 7.0.4



iQCVAwUBPTMKjF1NwfDT0XdRAQGAMQP/YXjQ8xz4XnRk02OYyrGKzDSQEaIOBm/Y
H19u0QJ9t68UH8bpOf3uGtZFNV4koieizW2d39/Eiyl/HKzuPa7tkjR+QE/CFvjX
RMg2XkYwbL1fuNyVDqjbPP400G/rYPAHnOjWEtUtXjPKrZnKT+IbPJUTQHjPGkJR
jEa9o/Sejws=


=vrs9


-----END PGP SIGNATURE-----






ROR mª¿ªm


>>> Beth.Seefelt_at_TetleyUSA.com 07/18/02 05:36PM >>>




I have gotten one also.  It appears to be some type of attempted
virus.


Its an html message that attempts to execute an attachment as an
application.  The attachment is called password.txt, I assume to fool
the email filters.  As far as I can tell, it didn't work on my
machine,


and I did a search through Symantec's web site for the signature, but
didn't find one.  If anyone knows what to look for to tell if the
virus


did anthing, I'd appreciate the info.



Beth



-----Original Message-----


Sent: Thursday, July 18, 2002 5:14 PM


To: Multiple recipients of list ORACLE-L




Hello list,



I'm getting many "finding pasword" emails from non-registered users.
have you got this type of email ? is it a spam or virus ?



regards...


--
Danisment Gazi Unal
http://www.ubTools.com 


-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com 
-- 
Author: Danisment Gazi Unal (ubTools)
  INET: dunal_at_ubTools.com 

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com 
--
Author: Seefelt, Beth
  INET: Beth.Seefelt_at_TetleyUSA.com 

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: 
ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Ron Rogers
  INET: RROGERS_at_galottery.org

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Thu Jul 18 2002 - 16:58:25 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US