Re: Trojan Alert

Avi Schwartz wrote:

> According to my virus scanner, the message from Wuttipong Suvaphrom
> <wutti_s@hotmail.com> titled  "v7.0.3 on Solaris 2.7" contained the
> "TR.Worm.Navidad" Trojan.  Be carefull:
>
> ----- log file begin -----
> info: extracting attachment 1 to /var/tmp/avVBIA4R/av-0
> (encoding="quoted-printable", name="(no name)", filename="(no name)")
> info: extracting attachment 2 to /var/tmp/avVBIA4R/av-1
> (encoding="base64",
> name="Navidad.exe", filename="Navidad.exe")
> checking file "/var/tmp/avVBIA4R/av-0"
> checking file "/var/tmp/avVBIA4R/av-1"
>  VIRUS! the file "/var/tmp/avVBIA4R/av-1" contains code of
> "TR.Worm.Navidad"
> ----- log file end -----
>
> Thanks,
> Avi
> --
> Avi Schwartz
> avi@CFFtechnologies.com

Just got this one too, although in one of its alternative incarnations!

The attached mail has been found to contain a virus
Originally /usr/sbin/scanmails -f pgsql-admin-owner@postgresql.org -Y
-a  -d dmill
The mail has been stored as /var/virusmails/root/virus-20001124-5063
xxxxxxxxxxxxxxxxxxFri Nov 24 13:58:34 GMT 2000xxxxxxxxxxxxxxxxxxxxxxx
scanmails (0.2.1) called -f pgsql-admin-owner@postgresql.org -Y -a  -d
dmill
FROM: pgsql-admin-owner@postgresql.org
TO: dmill

<snip>

/var/tmp/scanmails5063/unpacked/SFX:
total 2
drwxr-xr-x    2 root     root         1024 Nov 24 13:58 .
drwxr-xr-x    3 root     root         1024 Nov 24 13:58 ..
Scanning /var/tmp/scanmails5063/unpacked/*
Scanning file /var/tmp/scanmails5063/unpacked/mm.VBPik2
Scanning file /var/tmp/scanmails5063/unpacked/Navidad.exe
/var/tmp/scanmails5063/unpacked/Navidad.exe
        Found the W32/Navidad@M trojan !!!

Info on the virus can be found at:
http://vil.nai.com/vil/dispVirus.asp?virus_k=98881

Looks like it could be nasty if you run Outlook on a Whinedoze PC.

Watch your backs!
Dave

--
He was part of my dream, of course -- but then I was part of his dream too.
                -- Lewis Carroll

email: dave@largesalad.co.uk
web1 : www.largesalad.co.uk
web2 : www.p21.co.uk