[plug] mail flood

Craig Ringer craig at postnewspapers.com.au
Sat Jul 3 05:23:04 WST 2004


On Sat, 2004-07-03 at 04:03, Craig Ringer wrote:

> Symantec doesn't seem to know anything about it.

The MD5sum of the encoded MS-Windows executable I extracted
a number of the messages is:

a784ae53526d6e08d13c71b3de267660

and it _appears_ to be the same across the (relatively small)
message sample set I checked.

If you ever need to do this (decode base64-encoded MIME data like
uuencode etc), it's easy to cut the message down to just the base64
encoded data in a text editor then:

python -c \
"file('decoded','w').write(file('bad_msg').read().decode('base64'))"

(of course, there's going to be some easy dedicated command line tool to
do it like uudecode does).

Aaah, a little more digging reveals that it's Zafi.B .
http://www.sophos.com/virusinfo/analyses/w32zafib.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.erkez.b%40mm.html

I wonder why it suddenly started flooding out of nowhere? I blocked the
main source (a Connect.com.au address, 210.8.249.250) and it's fallen
off rapidly, but it's still coming from a lot of different sources. 

So ... it's just another Windows mass mailing worm. I normally don't
even notice when the next one hits anymore, they're so frequent. I've
given up on antivirus in favour of strict MIME type and file ext blocks
on the mail server, so they normally go totally unremarked. I initially
noticed this one only because the /var filesystem of my front-line mail
server filled up with bounce messages, causing a bunch of alarms.

Sorry for the noise, everybody.

--
Craig Ringer




More information about the plug mailing list