tricky new virus

[labrat25]

anybody seen/heard of this virus?

"Hello user of Purdue.edu e-mail server,

Our main mailing server will be temporary unavaible for next two days,
to continue receiving mail in these days you have to configure our free
auto-forwarding service.

For details see the attach.

For security purposes the attached file is password protected. Password is "07074".

Have a good day,
The Purdue.edu team"

it's a zip file that gave McAfee a seizure when i opened it
(i scanned it before i unzipped, nothing)

right now i'm feeling really stupid :| and having McAfee scan the whole system

anybody know what virus this is so I can download the cleaning tool?

 

[Confused]

Linky


Don't you find it weird that "for security" the details are password protected...but they sent you the password IN THE SAME EMAIL

Confused

 

[TMTCC]

Tricky indeed. I've been getting the same mail here at Ohio State from the so-called "osu.edu" team. Be warned out there and don't open it!

 

[UlricT]

look like my school is getting hit as well...

 

[thorin]

Originally posted by: Confused
Linky


Don't you find it weird that "for security" the details are password protected...but they sent you the password IN THE SAME EMAIL

It boggles the mind how many people don't think passed the end of their nose. When was the last time anyone received a credit card that was already activated? When was the last time the bank sent you a new client card with the pin in the same package?

Not to mention the fact that the email isn't even written is half way decent english which it would "likely" be if it was actually valid (schools and big companies actually do "tend" to edit these messages before sending them out).

Hello user of Purdue.edu e-mail server,

User is singular....this is going to hundreds/thousands of users (if it were valid)......

Our main mailing server will be temporary unavaible for next two days,
to continue receiving mail in these days you have to configure our free
auto-forwarding service.

It's a "mailing server" not a mail server? And only receiving is going to be broken? Not to mention that mailing seems to indicate outgoing.

For details see the attach.

"the attach" wtf is that? Not see attached or see attachment just see attach......

Anyway I digress..... all these ppl that get roped in make me laugh.

labrat25 Sorry to hear you got scammed dude, I know school life can get pretty tiring at times and everyone makes mistakes on this type of crap so I hope you haven't had any serious damage done to yer sys....GL!

Thorin

 

[toleraen]

same with our campus...it's days like this i'm glad i do tech support for everyone on campus. wahoo!

 

[labrat25]

after i opened it i noticed i had 4 copies of the same email...

lesson of the day: never open attachments when only half awake

 

[daballard]

Yeah, I worked tech support at our campus (University of Wisconsin) too and knew these emails were coming. Got my first one this morning and had to advise some of my less tech-savy friends that they're email is really find, just don't open the attachment.

Originally posted by: labrat25
after i opened it i noticed i had 4 copies of the same email...

lesson of the day: never open attachments when only half awake

Um, never open attachments period unless you know they're coming?

 

[apoppin]

Has anybody noticed the extraordinary proliferation of new viruses, worms and variants? . . . I never saw anything like this up-till-now . . . Norton is UPdating AT LEAST once-a-day.

 

[labrat25]

Originally posted by: apoppin
Norton is UPdating AT LEAST once-a-day.

I wish McAfee would... i guess you get what you pay for (free through the university)

 

[CZroe]

If you didn't execute anything from the zip file, what's the problem?

 

[CZroe]

If you didn't execute anything from the zip file, what's the problem?

 

[labrat25]

there wasn't anything in the zip folder, so i don't know if it executed or not

 

[CZroe]

Then why are you "feeling stupid?" The virus scanner probably only reported that the files were viruses. It uses terms like "infected" to sensationalize it. You weren't infected unless it used an exploit to execute itself (Perhaps a common zip program has a password protection buffer overflow error?)

 

[webwalker]

Here's the info as sent from our computer support this morning:

"Messages generated by Beagle.J include a password-protected ZIP file as an attachment, and a passcode in the message body. The ZIP file actually contains a copy of the worm. If a recipient uses the passcode and opens the ZIP attachment on a vulnerable computer, the worm will infect the computer."

Not sure if McAfee didn't get it because it didn't have the virus sig, or if compressed (zip) files don't look the same to the virus scanner. Anyone?

 

[SocrPlyr]

When i got it this morning.
Our school's email virus scanner was unable to scan it because it was "encrypted".
Since it was unable to scan it it did append the message stating that it was not able to be scanned which was nice...

Josh

 

[minendo]

Discussed at PUGG (Purdue Univeristy Gamers Group) here.

 

[mechBgon]

Originally posted by: labrat25

Originally posted by: apoppin
Norton is UPdating AT LEAST once-a-day.

I wish McAfee would... i guess you get what you pay for (free through the university)

Actually, McAfee is releasing EXTRA.DATs that cover most of these threats unless they hit the Medium-threat level, at which point McAfee releases a full numbered DAT to cover the need. Actually going and getting these is, unfortunately, something that your school's team may be slacking off on... the way I've gone here at work is to use McAfee's AutoUpdate Architect to create our own in-house repository where I can put the EXTRA.DAT, then command the PCs to go get it (even if I let them do this on their own timeframe, they are set up to update hourly).

Maybe forward that blurb on to your school's IT team and suggest that they set up their own on-campus repository and stock the EXTRA.DAT files (and assign someone to monitor McAfee's "newly-discovered threats" list for new threats, since they're coming thick & fast right now). They also should ensure that the PCs are set up to check the repository frequently, as well as perhaps one or two minutes after initial logon, so that there is minimal threat window.

 

[daballard]

Originally posted by: labrat25

Originally posted by: apoppin
Norton is UPdating AT LEAST once-a-day.

I wish McAfee would... i guess you get what you pay for (free through the university)

Isn't McAfee and Norton owned by the same people anyways?

 

[EeyoreX]

Isn't McAfee and Norton owned by the same people anyways?

No.

\Dan

 

[DarkKnight]

I got that virus too, I'm at University of Maryland. I'm so glad I didnt download the attachment. My university said that u need MacAfee Stinger to get rid of it

 

[Thermistor]

How about this: Don't open unkown attachments. stupid.

 

[Texun]

I got an odd one last Friday evening that nailed me. It was an email with my address from work addressed to me here at home - from me to me.

No great mystery there since worms do that, but this one had an odd subject line that said, "You are dismissed." I scanned the attachment, which had an Excel icon, and it came back clean. You guessed it. My curiosity got the best of me and I opened it. The "Excel" file opened like a blank document even though it was about 200k in size. Knowing this was all wrong, I updated my AVG scanner and it went nuts. I removed it with no problem but admit that I fell for it because AVG didn't see it and the subject line was more than tempting. I thought I had fired myself. :Q

 

[Gstanfor]

Haven't seen this virus yet, but noticed on the CERT vulnerabilities summary I subscribe to that winzip has a buffer overflow vulnerability.

Perhaps this is what the virus is trying to exploit.

 

[compudog]

Both Panda and F-Secure caught the virus as it was entering my LAN at home. At work, it was a different story. Going in this morning, I had a heads up from Panda and Watchgaurd so I printed off a quick doc and handed it out as the office staff filed in for the day.

Even with my stern warning and handout, I still had people calling me all day and even one girl double-click the attachment!!! Fortunately she did not have a utility to open the .zip archive so windows had nothing to do.

We have Symantec 8.0 Corporate at the office. Usually, they are good for a weekly update, this week there were many more! It seems the "guys" that wrote Bagle/Beagle are taunting the "guys" that wrote Netsky.

Dasm Virus idiots!