I just received an email proporting to be from Symantec that contained an anti-virus signature update. The message originated in the Netherlands. The attachment has been submitted to Symantec and FortiNet for review, however, I thought the community might want a heads up since I do not know the degree to which this has been distributed. The full content of the message I received is below: X-Persona: <CIS> Return-Path: <updates@symantec.com> X-Original-To: afried@cis.fed.gov Delivered-To: afried@cis.fed.gov Received: from node0938.a2000.nl (node0938.a2000.nl [62.108.9.56]) by mailserver.cis.fed.gov (Postfix) with SMTP id 22868FD52 for <afried@cis.fed.gov>; Tue, 7 Oct 2003 06:22:19 -0400 (EDT) Message-ID: <20031026614.2874.qmail@symantec.com> Date: Tue, 7 Oct 2003 03:26:29 -0700 From: <updates@symantec.com> Subject: Last Update. To: <afried@cis.fed.gov> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------9D16FAF1684605E" X-UIDL: G]m!!l"d"!b\E"!\]5"! October 06, 2003 Intruder Alert 4.1 W32_Webb_Worm Policy This policy detects the propagation of the W32.SobigF.Worm through changes in the registry. W32.Webb.F@mm is a mass-mailing, network-aware worm that sends itself to all the email addresses it finds in various files. The worm uses its own SMTP engine to propagate and attempts to create a copy of itself on accessible network shares, but fails due to bugs in the code. In attachment you can find program that update your Norton Antivirus to Norton Antivirus 2004. [nav32.zip] Scanned by evaliation version of Dr.Web antivirus Daemon http://drweb.ru/unix/