According to Trend: htm.exe, txt.exe, txt.scr According to McAfee: EXE, COM, SCR, PIF, BAT, CMD According to Symantec: exe, txt.exe, htm.exe, txt.scr, zip Hmm, I wonder who is right... -Bryan On 8/4/04 11:07 AM, "Paul Kurczaba" <paul@xxxxxxxxxx> wrote: > What extension does the attachment have (exe, pif, zip)? > > -Paul > ----- Original Message ----- > From: <albatross@xxxxxx> > To: <bugtraq@xxxxxxxxxxxxxxxxx> > Sent: Wednesday, August 04, 2004 9:22 AM > Subject: New MyDoom variant > > >> >> >> The SANS Institute reports a new variant of MyDoom in the wild actually > not recognized by AV vendors: >> >> New MyDoom On The Loose >> >> Initial analysis (we will update as we know more): >> >> Currently (16:00GMT), signatures are not yet available. >> UPDATED (17:00GMT): >> - Signatures are starting to come out, identifying this as MyDoom.O, > MyDoom.P or Evaman.C >> - It appears that this may only work on Win2K and WinXP machines because > the executable requires psapi.dll. >> - Copies itself to the Windows' system directory as winlibs.exe and > installs itself under > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run >> >> UPDATED (17:30GMT) - *BETA* Snort Sigs: >> UPDATED (17:40GMT) - *BETA #2* Snort Sigs: >> UPDATED (19:30GMT) - *BETA #3* Snort Sigs: >> >> >> var YAHOO [216.109.127.126/32] >> #var YAHOO any >> pass tcp any any -> $YAHOO 80 (msg: "Beta - MyDoom.P yahoo email address > search";\ >> sid:900018; rev:4; flow:established,to_server; flags:A+;\ >> flowbits:set,search_uri; content: "/py/psSearch.py|3f|";) >> alert tcp any any -> $YAHOO 80 (msg: "Beta - MyDoom.P yahoo email address > search";\ >> sid:900018; rev:4; flow:established,to_server; flags:A+;\ >> flowbits:isset,search_uri; content: "Host|3a| EMAIL.PEOPLE.YAHOO.COM";) >> >> Targets Yahoo's people search: >> >> http://email.people.yahoo.com:80/py/psSearch.py? >> >> NEW (1700GMT)- Example packet capture: >> >> 12:23:22.922862 10.1.0.129.1035 > 216.109.127.126.80: P 5:310(305) ack 1 > win 175 20 (DF) >> 0x0000 4500 0159 0077 4000 8006 96ba 0a01 0081 E..Y.w@......... >> 0x0010 d86d 7f7e 040b 0050 2217 187c 6b8a 5eb1 .m.~...P"..|k.^. >> 0x0020 5018 4470 46c9 0000 2f70 792f 7073 5365 P.DpF.../py/psSe >> 0x0030 6172 6368 2e70 793f 4669 7273 744e 616d arch.py?FirstNam >> 0x0040 653d 4a61 6d69 6526 696e 6465 783d 2048 e=Jamie&index=.H >> 0x0050 5454 502f 312e 300d 0a41 6363 6570 743a TTP/1.0..Accept: >> 0x0060 2069 6d61 6765 2f67 6966 2c20 696d 6167 .image/gif,.imag >> 0x0070 652f 782d 7862 6974 6d61 702c 2069 6d61 e/x-xbitmap,.ima >> 0x0080 6765 2f6a 7065 672c 2069 6d61 6765 2f70 ge/jpeg,.image/p >> 0x0090 6a70 6567 2c20 6170 706c 6963 6174 696f jpeg,.applicatio >> 0x00a0 6e2f 766e 642e 6d73 2d65 7863 656c 2c20 n/vnd.ms-excel,. >> 0x00b0 6170 706c 6963 6174 696f 6e2f 6d73 776f application/mswo >> 0x00c0 7264 2c20 6170 706c 6963 6174 696f 6e2f rd,.application/ >> 0x00d0 766e 642e 6d73 2d70 6f77 6572 706f 696e vnd.ms-powerpoin >> 0x00e0 742c 202a 2f2a 0d0a 4163 6365 7074 2d4c t,.*/*..Accept-L >> 0x00f0 616e 6775 6167 653a 2065 6e2d 7573 0d0a anguage:.en-us.. >> 0x0100 4163 6365 7074 2d45 6e63 6f64 696e 673a Accept-Encoding: >> 0x0110 2067 7a69 702c 2064 6566 6c61 7465 0d0a .gzip,.deflate.. >> 0x0120 5573 6572 2d41 6765 6e74 3a20 4d6f 7a69 User-Agent:.Mozi >> 0x0130 6c6c 612f 342e 300d 0a48 6f73 743a 2045 lla/4.0..Host:.E >> 0x0140 4d41 494c 2e50 454f 504c 452e 5941 484f MAIL.PEOPLE.YAHO >> 0x0150 4f2e 434f 4d0d 0a0d 0a O.COM.... >> >> >> Message subjects(?): >> >> SN: New secure mail >> SN: New secure mail >> Secure delivery >> Secure delivery >> failed transaction >> failed transaction >> Re: hello (Secure-Mail) >> Re: hello (Secure-Mail) >> Re: Extended Mail >> Re: Extended Mail >> Delivery Status (Secure) >> Delivery Status (Secure) >> Re: Server Reply >> Re: Server Reply >> SN: Server Status >> SN: Server Status >> >> >> Message body contains(?): >> >> Automatically Secure Delivery: for >> Automatically Secure Delivery: for >> Mail Delivery Server System: for >> Mail Delivery Server System: for >> Extended secure mail message available at: >> Extended secure mail message available at: >> Secure Mail Server Notification: for >> Secure Mail Server Notification: for >> New mail secure method implement: for >> New mail secure method implement: for >> New policy requested by mail server to returned mail >> as a secure compiled attachment (Zip). >> New policy requested by mail server to returned mail >> as a secure compiled attachment (Zip). >> Now a new message is available as secure Zip file format. >> Due to new policies on clients. >> Now a new message is available as secure Zip file format. >> Due to new policies on clients. >> This message is available as a secure Zip file format >> due to a new security policy. >> This message is available as a secure Zip file format >> due to a new security policy. >> For security measures this message has been packed as Zip format. >> This is a newly added security feature. >> For security measures this message has been packed as Zip format. >> This is a newly added security feature. >> New policy recommends to enclose all messages as Zip format. >> Your message is available in this server notice. >> New policy recommends to enclose all messages as Zip format. >> Your message is available in this server notice. >> You have received a message that implements secure delivery technology. >> Message available as a secure Zip file. >> You have received a message that implements secure delivery technology. >> Message available as a secure Zip file. >> This message is an automatically server notice >> from Administration at >> This message is an automatically server notice >> from Administration at >> Server Notice: New security feature added. MSG:ID: 455sec86 >> Server Notice: New security feature added. MSG:ID: 455sec86 >> New feature added for security reasons >> New feature added for security reasons >> Automatically server notice:, >> Server reply from >> Automatically server notice:, >> Server reply from >> New service policy for security added from >> New service policy for security added from >> >> >> The executable contains the following names that are used to search Yahoo: >> Johnson, Williams, Wilson, Taylor, Anderson, Thomas, Jackson, Parker, > Hernandez, Gonzalez, Roberts, Patricia, Margaret, Elizabeth, Anthony, > Daniel, Patrick, Douglas, Carlos, Sanchez, Howard, Washington, Walter, > Robinson, Miguel, Jennifer, Alberto, Mathew, Taylor, Walker, Mitchell, > Carter, Nelson, Brooks, Jenkins, Coleman, Flores, Griffin, Morris, Rogers, > Barbara, Angela, Amanda, Pamela, Martha, Frances, Cynthia, Stephanie, > Nicole, Andrea, Rebeca, Steven, Anthony, George, Michael, Isabel, Marcos, > Camilo, Salomon, Esteban, Francis, Nicholas, Samuel, Angela, Catherine, > Susanna, Dorothy, Elizabeth, Andrew, Philip, Hester, Edward, Martin, > Gabriel, Christopher, Lawrence, Christian, Christ, Dorcas, Rowland, Cecily, > Margery, Turner, Torres, Brooks, Harrison, Gibson, Pierce, Arnold, Watkins, > Medina, Mendoza, Santiago, Christina, Norris, Santos, Burgess, Valdez, > Barber, Patton, Ortega, Estrada, Waters, Ashlee, Parson, Sparks, Morton, > Allison, Monique, Summers, Cortez, Barton, Deleon, H >> arrell, Navarro, Woodard, Meyers, Petersen, Vannessa, Douglas, Joanna, > Judith, Bridget, Jessica, Jeffrey, Timothy, Shirley, Kimberly, Sandra, > Melissa, Virginia, Dennis, Junior, Heather, Collins, Garcia, Miller, Barton, > Bridget, Gillian, Ursula, Hannah, Cooper, Watson, Bennett, Sanders, Ramirez, > Bailey, Murphy, Campbell, Barnes, Alexis, Samantha, Madison, Joshua, > Charles, Clinton, Lincoln, Houston, Claudia, Britney, Carson, Spider, > Laster, Jolley, Galvin, Alecia, Karrie, Ivette, Freeman, Hunter, Simpson, > Hamilton, Knight, Mcdonald, Elliott, Bradley, Duncan, Weaver, Fields, > Chapman, Kelley, Wagner, Jacobs, Stanley, Fuller, Newman, Lambert, Cummings, > Leonard, Barker, Norris. >> > >
