Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: FAST MOVING EMAIL VIRUS, More IE scripting concerns - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
FAST MOVING EMAIL VIRUS, More IE scripting concerns

A mass-mailing virus has been released that uses its own SMTP engine and Kazaa P2P to spread. AV vendors began releasing updated signatures around 6 pm EST (2300 UTC) on the 26th, with several different names. Since release of the new signatures, our mail filter has intercepted several hundred copies of this virus at a rate of several per minute.

As of 10pm EST (0300 UTC 27 JAN 04) there has been a slowdown in the number of emails received here. More details about the virus are online at

The following excerpts are from AV vendor write-ups at their links below, check frequently for additions.



W32.Novarg.A@mm (Symantec)

Win32/Shimg (CA)


The email arrives with a masked executable attachment. The attachment file extensions vary (.exe, .pif, .cmd, .scr)

Size - (22,528 bytes)

Attachment Names (not exhaustive) are chosen from the following list of names:


The icon used by the file tries to make it appear as if the attachment is a text file. There are other reports of different icons being used such as a MSDOS shortcut which is the executable.

The worm may also send itself out as a legitimate ZIP archive.

Upon execution, it launches Notepad.exe and displays a message with non-legible characters.

The worm encrypts most of the strings in its UPX-packed body with rot13 method.

The worm opens a connection on TCP port 3127 suggesting remote access capabilities. Connecting to this port on an infected computer using Netcat shows only binary output, suggesting a possible backdoor, additional instructions for a possible future worm, or perhaps an encrypted SMTP engine for spammers. Investigation continures.

Other email

From: (spoofed)

Possible Subjects (not exhaustive):
Server Report
Mail Delivery System
Mail Transaction Failed
Server Request

Or a subject name consisting of randomly genereated characters.

Body: (Varies, such as these examples)

"The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment."
"The message contains Unicode characters and has been sent as a binary attachment."
"Mail transaction failed. Partial message is available."

After a system becomes infected, it may begin to participate in a DDoS attack against by routinely sending 63 HTTP requests. This may cause local DoS conditions as well due to excessive traffic from multiple infected hosts.

More Internet Explorer Scripting Concerns

A new method of exploiting Microsoft Internet Explorer security zones was posted to the BUGTRAQ mailing list today that uses the Windows XP ".folder" extension to trick users into running scripts in the My Computer zone. This is another example of the dangers of unrestricted scripting in trusted zones. Preliminary information from Microsoft indicates that Service Pack 2 for Windows XP will include improvements to restrict web pages from running in the My Computer zone. In the meantime, organizations are advised to disable the "Hide Extensions for Known File Types" option on Windows systems, and advise users to report instances of folders appearing with the ".folder" extension.


-Joshua Wright

(Updated by Marcus Sachs)

34 Posts
Jan 27th 2004

Sign Up for Free or Log In to start participating in the conversation!