European Storm Video E-Mail
=====
UPDATE 1530 GMT 21 Jan 07:
Thanks to everybody who sent us new versions of this malware. We are going to stop adding MD5s to the list below. The malware will continue to mutate over the next several days and weeks.
-ms
=====
Due to a glitch when editing the diary, the older version didn't get retained. But well, this virus is pretty simple: If you get a .exe in your inbox, something is seriously wrong with your inbound mail filter. There is no good reason to send executables "plain" via email, and there are plenty of methods to filter them even before they ever hit the AV filter.
UPDATE:
A new variant of this virus has surfaced over the last 3-4 hours. This variant is slightly smaller than the original.
MD5 checksums for the files are:
AV products are picking up the original, only some are picking up the variant (that should change over the next few hours).
The subject and file names are changing as well in line with the news headlines of the day. We have seen:
Symantec link: http://www.symantec.com/enterprise/security_response
/weblog/2007/01/trojanpeacomm_building_a_peert.html
UPDATE:
Another variant has surfaced file checksums to c0ea4f9c940ed25f5a6f9a5240aaf9d6, the rest is the same. (Thanks Ariel).
Not all AV pick this one up yet.
Mark
ISC Handler On Duty
Shearwater
UPDATE 1530 GMT 21 Jan 07:
Thanks to everybody who sent us new versions of this malware. We are going to stop adding MD5s to the list below. The malware will continue to mutate over the next several days and weeks.
-ms
=====
Due to a glitch when editing the diary, the older version didn't get retained. But well, this virus is pretty simple: If you get a .exe in your inbox, something is seriously wrong with your inbound mail filter. There is no good reason to send executables "plain" via email, and there are plenty of methods to filter them even before they ever hit the AV filter.
UPDATE:
A new variant of this virus has surfaced over the last 3-4 hours. This variant is slightly smaller than the original.
MD5 checksums for the files are:
- cf6c72dfa5a05beb46f21a21cb6d3487 for the original version
- b9a0d6c8493ad79c2c09137871b95672 for the new variant (some of you will get the hash 01a1115bcb0d5e32a98c76a50ac8868d on the same file).
- c0ea4f9c940ed25f5a6f9a5240aaf9d6 (new variant, but detected by most AV already)
- 932fbaf2efbf432d50532f7ec48b9e24 (new and not detected by many yet)
- 72f445300de3ccb0b76d5ca01c07207d
- 7fba7a6e6e3fd72bcfe15233b05535a1
- d93ffce8b87e2176bbe4edaca12a244f
- 18157394ea1b2791e9149077c153446e
- 40b246c5b7c3871fed464e02d5afc0b
- cbbbd25c250b8372c2d15b3d68bdbd87
- 83f759878d5ed7b9286e76103c8430cf
- 562d6dad245497e6c95d1bb33e4bedda
AV products are picking up the original, only some are picking up the variant (that should change over the next few hours).
The subject and file names are changing as well in line with the news headlines of the day. We have seen:
Many readers have reported that their Anti Spam filters capture the files. If you are blocking executables, then at the moment things should be fine in your camp.
- Chinese missile shot down USA aircraft
- Chinese missile shot down USA satellite
- Chinese missile shot down Russian satellite
- Russian missile shot down USA aircraft
- Russia missile shot down USA satellite
- Russian missile shot down Chinese aircraft
- Radical Muslim drinking enemies' blood
- Sadam Hussein alive!
- Sadam Hussein safe and sound!
- U.S. Southwest braces for another winter blast. More then 1000 people are dead. (new)
- The Supreme Court has been attacked by terrorists. Sen. Mark Dayton dead!
- The commander of a U.S. nuclear submarine lunch the rocket by mistake.
Symantec link: http://www.symantec.com/enterprise/security_response
/weblog/2007/01/trojanpeacomm_building_a_peert.html
UPDATE:
Another variant has surfaced file checksums to c0ea4f9c940ed25f5a6f9a5240aaf9d6, the rest is the same. (Thanks Ariel).
Not all AV pick this one up yet.
Mark
ISC Handler On Duty
Shearwater
Keywords:
0 comment(s)
×
![modal content]()
Diary Archives
Comments