Warning - new trend of attempts to infect ISP users (possibly virus)
Stephen J. Wilcox
steve at telecomplete.co.uk
Wed Mar 3 16:15:39 UTC 2004
> > Erm is it me or are the writers of Bagle and Netsky determined to keep morphing
> > their code to outwit the virus scanners.. is this a new trend in virus writing -
> > beat the systems by evolving your code quicker than the security firms can
> > release updates?
>
> new trend in that it started only a decade ago?
Perhaps I'm only following this as its affecting us more, but I dont recall a
time previously when I've had so many viruses hitting us and getting thro our
scanners with nothing we can do about it. I dont recall seeing viruses with
variants as high as 'j' before, especially in the relatively short time since
the previous variants were out
Seriously, drop some references if I'm off-track.. its just my perception and
I'm not an expert at all with viruses...
Steve
> > On Tue, 2 Mar 2004, Larry Rosenman wrote:
> >
> > > <http://vil.nai.com/vil/content/v_101071.htm>
> > >
> > > W32/Bagle.[hij]@MM
> > >
> > >
> > >
> > > --On Tuesday, March 02, 2004 20:07:17 -0800 "william(at)elan.net"
> > > <william at elan.net> wrote:
> > >
> > > >
> > > >
> > > > I have just seen emails (several different kinds) pretending to be sent
> > > > from 3 of my isp domains to users of those domains warning users that
> > > > their email account would be disabled and asking to open a .pif
> > > > attachment. I know largest ISPs probably have expierenced this but I
> > > > believe what I have seen today means they are after ISPs (or possibly
> > > > just after any domains with number of email addresses under them) of all
> > > > sizes right at the moment. All emails we received from the same source
> > > > ip - 129.59.206.187 Please check your email base for what looks like the
> > > > following
> > > > (in the examples I changed everything to elan.net, actually every isp
> > > > domain received different example of this, only first one is exact).
> > > >
> > > > Example 1:
> > > > ---
> > > > From: management at elan.net
> > > > To: xxxxx at elan.net
> > > > Subject: Email account utilization warning.
> > > >
> > > > Hello user of Elan.net e-mail server,
> > > >
> > > > Your e-mail account has been temporary disabled because of unauthorized
> > > > access.
> > > >
> > > > For further details see the attach.
> > > >
> > > > Best wishes,
> > > > The Elan.net team http://www.elan.net
> > > > ---
> > > >
> > > > Example 2:
> > > > ---
> > > > From: administration at elan.net
> > > > To: xxxx at elan.net
> > > > Subject: Warning about your e-mail account.
> > > >
> > > > Dear user of "Elan.net" mailing system,
> > > >
> > > > Our main mailing server will be temporary unavaible for next two days,
> > > > to continue receiving mail in these days you have to configure our
> > > > free auto-forwarding service.
> > > >
> > > > Further details can be obtained from attached file.
> > > >
> > > > Cheers,
> > > > The Elan.net team http://www.elan.net
> > > > ---
> > > >
> > > > Example3:
> > > > ---
> > > > To: xxxxx at elan.net
> > > > Subject: Warning about your e-mail account.
> > > > From: administration at elan.net
> > > >
> > > > Dear user, the management of Elan.net mailing system wants to let you
> > > > know that,
> > > >
> > > > Some of our clients complained about the spam (negative e-mail content)
> > > > outgoing from your e-mail account. Probably, you have been infected by
> > > > a proxy-relay trojan server. In order to keep your computer safe,
> > > > follow the instructions.
> > > >
> > > > Please, read the attach for further details.
> > > >
> > > > The Management,
> > > > The Elan.net team http://www.elan.net
> > > >
> > > >
> > >
> > >
> > >
> > >
> >
>
>
More information about the NANOG
mailing list