OT: Particular String showing up today
Shortt, Kevin
KShortt at AZERTY.COM
Wed Apr 21 04:07:11 IST 2004
Looks like netsky.x.
sophos has it analyzed at:
http://www.sophos.com/virusinfo/analyses/w32netskyx.html
-k
-----Original Message-----
From: William Burns
To: MAILSCANNER at JISCMAIL.AC.UK
Sent: 4/20/2004 3:19 PM
Subject: Re: OT: Particular String showing up today
Ken:
Ken Rice wrote:
>I apologize for this OT post, so perhaps replies can be emailed to me
off list, please?
>
>I've seen several of these today, and ClamAv doesn't catch them all,
but MS does.
>
>The pattern in the Report: is basically the same, in the form of:
>
>www.[DOMAIN].com.[USERNAME].session-0000NNNN.com)
>
>Just curious if others have seen this.
>
>
Yup. I'm seeing them too today.
Vexira isn't catching them. (at least not all of them)
One of the other admins had the bright idea of turning off the antivirus
notifications so I can't tell you if some of them are getting caught.
-Bill
>At first, I thought I had more "juice" to get the Windows/Web people to
start Obfuscating email addresses on my
>companies' web pages, but that's another story.
>
>It's the session-nnnnnnn.com that intrigues me.
>
>thank you,
>
>Ken Rice
>
>An example of ClamAV nailing it along with MS:
>
>The following e-mail messages were found to have viruses in them:
>
> Sender: [deleted]
>IP Address: 67.22.83.126
> Recipient: [deleted]
> Subject: Delivery failure notice (ID-00003132)
> MessageID: i3KJLg126092
> Report: ClamAV Module:
www.[deleted].com.[usernamedeleted].session-00003132.com was infected:
Worm.SomeFool.Y
> MailScanner: Executable DOS/Windows programs are dangerous
in email
>(www.[deleted].com.[usernamedeleted].session-00003132.com)
>
>
>
More information about the MailScanner
mailing list