I just received an email proporting to be from Symantec that contained an anti-virus signature update. The message originated in the Netherlands. The attachment has been submitted to Symantec and FortiNet for review, however, I thought the community might want a heads up since I do not know the degree to which this has been distributed. The full content of the message I received is below: X-Persona: <CIS> Return-Path: <updates@symantec.com> X-Original-To: afried@cis.fed.gov Delivered-To: afried@cis.fed.gov Received: from node0938.a2000.nl (node0938.a2000.nl [62.108.9.56]) by mailserver.cis.fed.gov (Postfix) with SMTP id 22868FD52 for <afried@cis.fed.gov>; Tue, 7 Oct 2003 06:22:19 -0400 (EDT) Message-ID: <20031026614.2874.qmail@symantec.com> Date: Tue, 7 Oct 2003 03:26:29 -0700 From: <updates@symantec.com> Subject: Last Update. To: <afried@cis.fed.gov> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------9D16FAF1684605E" X-UIDL: G]m!!l"d"!b\E"!\]5"! October 06, 2003 Intruder Alert 4.1 W32_Webb_Worm Policy This policy detects the propagation of the W32.SobigF.Worm through changes in the registry. W32.Webb.F@mm is a mass-mailing, network-aware worm that sends itself to all the email addresses it finds in various files. The worm uses its own SMTP engine to propagate and attempts to create a copy of itself on accessible network shares, but fails due to bugs in the code. In attachment you can find program that update your Norton Antivirus to Norton Antivirus 2004. [nav32.zip] Scanned by evaliation version of Dr.Web antivirus Daemon http://drweb.ru/unix/
I got a copy from someone on Videotron just a short while ago: Return-Path: <updates@symantec.com> Received: from modemcable100.179-201-24.mtl.mc.videotron.ca ([24.201.179.100]) by fep02-mail.bloor.is.net.cable.rogers.com (InterMail vM.5.01.05.12 201-253-122-126-112-20020820) with SMTP id <20031008021701.FIGV80253.fep02-mail.bloor.is.net.cable.rogers.com@modem cable100.179-201-24.mtl.mc.videotron.ca> for <rviau75@rogers.com>; Tue, 7 Oct 2003 22:17:01 -0400 Message-ID: <2003101346.11398.qmail@symantec.com> Date: Tue, 7 Oct 2003 19:21:59 -0700 From: <updates@symantec.com> Subject: Last Update. To: <rviau75@rogers.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------9D16FAF1684605E" -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Andrew Fried Sent: October 7, 2003 8:16 AM To: nanog@merit.edu Subject: New virus I just received an email proporting to be from Symantec that contained an anti-virus signature update. The message originated in the Netherlands. The attachment has been submitted to Symantec and FortiNet for review, however, I thought the community might want a heads up since I do not know the degree to which this has been distributed. The full content of the message I received is below: X-Persona: <CIS> Return-Path: <updates@symantec.com> X-Original-To: afried@cis.fed.gov Delivered-To: afried@cis.fed.gov Received: from node0938.a2000.nl (node0938.a2000.nl [62.108.9.56]) by mailserver.cis.fed.gov (Postfix) with SMTP id 22868FD52 for <afried@cis.fed.gov>; Tue, 7 Oct 2003 06:22:19 -0400 (EDT) Message-ID: <20031026614.2874.qmail@symantec.com> Date: Tue, 7 Oct 2003 03:26:29 -0700 From: <updates@symantec.com> Subject: Last Update. To: <afried@cis.fed.gov> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------9D16FAF1684605E" X-UIDL: G]m!!l"d"!b\E"!\]5"! October 06, 2003 Intruder Alert 4.1 W32_Webb_Worm Policy This policy detects the propagation of the W32.SobigF.Worm through changes in the registry. W32.Webb.F@mm is a mass-mailing, network-aware worm that sends itself to all the email addresses it finds in various files. The worm uses its own SMTP engine to propagate and attempts to create a copy of itself on accessible network shares, but fails due to bugs in the code. In attachment you can find program that update your Norton Antivirus to Norton Antivirus 2004. [nav32.zip] Scanned by evaliation version of Dr.Web antivirus Daemon http://drweb.ru/unix/
participants (2)
-
Andrew Fried -
Rob V