[13088] in bugtraq
Re: Warning to Bugtraq posters.
daemon@ATHENA.MIT.EDU (Richard M. Smith)
Fri Dec 24 12:48:05 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <NDBBKGHPMKBKDDGLDEEHOEHHCKAA.smiths@tiac.net>
Date: Thu, 23 Dec 1999 15:59:17 -0500
Reply-To: "Richard M. Smith" <smiths@TIAC.NET>
From: "Richard M. Smith" <smiths@TIAC.NET>
X-To: Steven Alexander <steve@cell2000.net>,
"BUGTRAQ@SECURITYFOCUS. COM" <BUGTRAQ@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <000601bf4c9c$6f0bd9c0$0100007f@localhost.cell2000.net>
Hi Steven,
Okay, this is probably the NewApt worm/trojan/virus. Here are
some descriptions of it:
Trend Micro Description
http://www.antivirus.com/vinfo/security/sa121499.htm
NAI Avert Description
http://vil.nai.com/vil/wm10475.asp
Symantec Description
http://www.symantec.com/avcenter/venc/data/worm.newapt.html
F-Secure Description
http://www.europe.f-secure.com/v-descs/newapt.htm
The NTBugTraq mailing list had the same problem last week.
All it takes is one person on a mailing list to get infected,
then it sends itself off to people who have posted messages to
the list. For example, I got a WinApt message from Italy that was a
reply to a message I posted in August to NTBugTraq.
An interesting side note, NewApt contains an IP address
for a Microsoft Web server that shows the www.microsoft.com
homepage. Not sure what the purpose of this address is
in the code.
Richard
> -----Original Message-----
> From: Bugtraq List [mailto:BUGTRAQ@SECURITYFOCUS.COM]On Behalf Of Steven
> Alexander
> Sent: Wednesday, December 22, 1999 11:49 AM
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: Warning to Bugtraq posters.
>
>
> After my last post to bugtraq (Re: w00w00....) I received a message
> pertaining to be from myself with the same subject line. The messsage
> contained an attachment program named goal.exe. It claimed that this
> program was from messagemates.com. If the program is run it will give an
> error message about an unfound .DLL. It will also create a new
> goal.exe in
> "C:\WINNT\" and an entry in the registry named "tpawen" with the value
> "C:\WINNT\goal.exe /x" under
> "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run"
> . I don't
> know what this program is, I am disassembling it now and will post again
> later. The header from the message I received indicates that the mail was
> received by my mail server from "stu.chesapeake.net, 205.130.220.9". If
> anyone knows anything more please email me.
>
> -steven alexander
>
