OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Nick FitzGerald (nick_at_virus-l.demon.co.uk)
Date: Mon Dec 30 2002 - 20:00:15 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    gillettdavidfhda.edu wrote:

    > So far today, I've received two email messages from
    >
    > kbl-zrz2519.zeelandnet.nl [62.238.233.233]
    >
    > which, apparently, claimed in its HELO message to *be*
    > our local MX (which of course was who it was talking TO).
    > Sounds to me like a bug in the sending software.
    >
    > The other thing these messages had in common was a
    > 33KB .scr ("screen saver") executable attachment.
    > Norton doesn't recognize this as a known threat, but
    > I don't want to be the first to learn the hard way what
    > it does.
    >
    > MAYBE this is just ill-conceived and poorly-written
    > spam. Maybe it's something more serious. Anybody know
    > one way or the other?

    One of the new Yaha variants is quite widespread right at the moment.
    Many scanners detect it as Yaha.K but, some suggest it is another
    variant, and I'm fairly sure it is what MessageLabs has listed as
    Yaha.M.

    Anyway, we have seen cases of this being missed entirely by "block PE
    executable" type policies at some content filtering gateways because
    of faults in the gateway scanner's assumptions about MIME attachments
    (although these assumptions are based on correct interpretation of
    the relevant RFCs, virus writers and popular Email clients do not pay
    too slavish attention to RFC details...). I have also heard that
    (some versions of) NAV were missing this variant if updated via the
    auto-update method but then magically detect the virus if a manual
    update was forced.

    Anyway, a normal copy of Yaha.K is 34,304 bytes and more of the
    filenames in the list it selects its "infected" Email message's
    attachment name from are .SCR types than any other -- about 3 to 1 --
    so the odds are high it will come as an SCR attachment. I'd say the
    odds are good that you have been seeing a Yaha variant and probably
    Yaha.K. MessageLabs 24 hour reports show Yaha.M currently running
    second to Klez.H and well ahead of the rest of the pack and several
    vendors have raised alerts about the rate at which this is spreading. 

    -- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

    ----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com