[Esa-l] Heads up, new virus...
John D. Hardin
jhardin at wolfenet.com
Sat Nov 18 06:43:43 PST 2000
On Thu, 16 Nov 2000, Andre Kajita - Administrador da Rede wrote:
> Our nets were affected by the mail new virus - myromeo/myjuliet.
Everybody: We're professionals. Please include AV Vendor URLs for
verification.
> 4 myromeo.exe
Would be mangled, but go ahead and add it to your poisoned list.
> 5 myjuliet.chm
You should already be poisoning *.chm, so this would poison and
quarantine the message by itself.
> The html part consists of a few lines:
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> <HTML><HEAD>
> </HEAD>
> <BODY BGCOLOR="black" TEXT="red">
> <DIV> </DIV>
>
> <DEFANGED_IFRAME width=3D1 height=3D1
> src=3D"cid:000701bf8458$eb570380$dc0732d4 at 666"></IFRAME>
> <DEFANGED_IFRAME width=3D1 height=3D1
> src=3D"cid:000701bf8458$eb570381$dc0732d4 at 666"></IFRAME>
> <P></P>
>
> <DEFANGED_SCRIPT>
> window.showHelp("c:/windows/temp/myjuliet.chm");
> </SCRIPT>
>
> </BODY></HTML>
...and this gets defanged so that it won't auto-execute.
A standard sanitizer install with the recommended default poison list
will block this, but you probably should go ahead and add MYROMEO.EXE
to your poisoned list just for paranoia's sake.
--
John Hardin KA7OHZ ICQ#15735746 http://www.wolfenet.com/~jhardin/
jhardin at wolfenet.com pgpk -a finger://gonzo.wolfenet.com/jhardin
768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
5 days until Thanksgiving
More information about the esd-l
mailing list