-
June 27th, 2005, 09:06 PM
#1
Anyone seeing this?
My gateway is catching a lot of executables attempting to come in via e-mail. The e-mail is coming in with a subject of either "Is sent SMS" or "The picture is sent on SMS". The executable usually has the name of "f5434.exe" or "ds-rwe.exe" .
Now I have searched the usual (Symantec, TrendMicro....etc) but I am coming up blank. Anyone seeing this activity?
Cheers:
-
June 27th, 2005, 09:09 PM
#2
I think i receieved it once or twice, but it was marked as spam by gmail so i just deleted it.
-
June 27th, 2005, 09:11 PM
#3
DjM can you turn one into a .txt or zip?
I will gladly dissect it for you
-
June 27th, 2005, 09:16 PM
#4
Originally posted here by nihil
DjM can you turn one into a .txt or zip?
I will gladly dissect it for you
Sorry Mate, I have a "drop-dead" rule on my gateway. All executables are stripped and sent to that big "bit-bucket" in the sky. To trap one, I have to disable the rule, which is something I am not real crazy about doing.
I'll see if I can come up with a way to trap one without throwing the doors wide open.
Cheers:
-
June 27th, 2005, 09:17 PM
#5
Hey Hey,
Here's a copy of the file.
It came in to our work email (2 copies to our one helpdesk account over the weekend, and one to our other account...)
The original zip file is in the folder... and the folder is compressed into a new zip file with the password antionline.com
Maybe I'll throw it into a VM tonight and see what it does...
Peace,
HT
-
June 27th, 2005, 09:19 PM
#6
Nope
Not getting any here.......Yet!
Just checked what was filtered too....nothing similar
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
June 27th, 2005, 09:20 PM
#7
Originally posted here by HTRegz
Hey Hey,
Here's a copy of the file.
It came in to our work email (2 copies to our one helpdesk account over the weekend, and one to our other account...)
The original zip file is in the folder... and the folder is compressed into a new zip file with the password antionline.com
Maybe I'll throw it into a VM tonight and see what it does...
Peace,
HT
I am seeing that zip file too HT, along with Beach.zip and In_park.zip.
Can you find any info. on the Virus sites about this?
Cheers:
-
June 27th, 2005, 09:21 PM
#8
http://isc.sans.org/
http://isc.sans.org/diary.php?date=2005-06-26
We're receiving early reports of a new Bagle variant making the rounds. At the time of writing, many Antivirus products are not detecting this most recent mutation of the mass mailer. Identifying characteristics include a reference to SMS in the subject line, and ZIP attachments with various names containing an EXE named f22-013.exe with an md5 checksum of 3f123980866092fedd6bc75e9b273087. Our thanks go out to the numerous ISC readers who alerted us to this.
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
June 27th, 2005, 09:44 PM
#9
When scanned with Symantec Corp, it comes up as this...
http://securityresponse.symantec.com...n.tooso.j.html
SNIP
Trojan.Tooso.J is a Trojan horse that interferes with the operation of security software by terminating processes, stopping services, removing registry entries, and deleting files.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
June 27th, 2005, 09:48 PM
#10
Originally posted here by thehorse13
When scanned with Symantec Corp, it comes up as this...
http://securityresponse.symantec.com...n.tooso.j.html
SNIP
Trojan.Tooso.J is a Trojan horse that interferes with the operation of security software by terminating processes, stopping services, removing registry entries, and deleting files.
I figured that was the bugger too horse, but the Symantec wirte-up didn't have very much detail (subject line, attachment name...etc)
Cheers:
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|