Jim O’Halloran’s Weblog

Published January 19th, 2004 by Jim O'Halloran

Strange Email Message

I’ve now seen two of these messages in the last couple of hours. In one case I can say that the from address is definately forged, in the other I’m not sure. In both cases the subject line and message content were virtually identical (except for the string of random characters in the message body. MIMEDefang stripped .exe file attachments off of both messages.

-----Original Message-----
From: fraser@trilobytes.com.au
Sent: Monday, 19 January 2004 13:39
To: linuxsa@linuxsa.org.au
Subject: Hi

 Test =)
vrrtlwkh
--
Test, yep.

===========================================================================
WARNING: This e-mail has been altered by MIMEDefang.  Following this
paragraph are indications of the actual changes made.  For more
information about your site's MIMEDefang policy, contact
Jim O'Halloran
.  For more information about MIMEDefang, see:

            http://www.roaringpenguin.com/mimedefang/enduser.php3

An attachment named vlpfmr.exe was removed from this document as it
constituted a security hazard.  If you require this document, please contact
the sender and arrange an alternate means of receiving it.

In the case of the message above the forgery was good enough to get past the list server on our local Linux group’s mailing list.

I’m guessing I’m seeing the next Windows virus outbreak in its infancy. Has anyone else seen messages like this lately?

UPDATE: Acording to Symantec this is the W32.Beagle.A@mm worm.

W32.Beagle.A@mm is a mass-mailing worm that will only work until 28th of January. This worm will insert several files and registry keys on the system. It will also access remote websites, and email all contacts it can find.

| Post in Internet |