Evaman.A worm - new polymorphic mass mailer

Discussion in 'malware problems & news' started by the mul, Jul 5, 2004.

Thread Status:
Not open for further replies.
  1. the mul

    the mul Registered Member

    Joined:
    Jul 31, 2003
    Posts:
    1,703
    Location:
    scotland
    Hopefully, this new threat will remain low risk and users are safe as long as SCR or EXE attachments are not opened.

    Evaman.A worm - new polymorphic mass mailer
    http://secunia.com/virus_information/10429/
    http://vil.nai.com/vil/content/v_126563.htm
    http://www.sophos.com/virusinfo/analyses/w32evamana.html
    http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=39513
    http://www.sarc.com/avcenter/venc/data/w32.evaman@mm.html

    W32.Evaman@mm is a mass-mailing worm that spreads to addresses found at the website email.people.yahoo.com. This worm arrives as an attachment with a .exe or .scr extension.

    SUBJECT OF EMAIL MESSAGE
    returned mail
    failure delivery
    failed transaction
    server error
    mail failure
    Delivery Status (Failure)

    TEXT OF EMAIL MESSAGE
    This is an automatically generated Delivery Status Notification.
    Delivery to last recipient failed.
    Email returned as attachment text file.
    Message from Mail Delivery Server.
    Unable to deliver message to last recipient.
    Email returned as text file.
    Email returned by the server as ASCII Text mail file.
    To read the email download the included attachment.
    Mail Server Notice:
    Last email sent could not reach intented destination.
    Email returned as ASCII text file.
    The last email sent by this account could not reach intended destination.
    Email has been returned as text file attachment.
    Mail Delivery Status Notification:
    Message returned by server. Message returned as text file attachment.

    ATTACHMENT NAMES
    body
    message
    email
    returned
    text
    document

    ATTACHMENT EXTENSIONS
    *.scr
    *.txt.scr
    *.html.scr
    *.outlook.scrtxt.exe


    RELATED ARTICLE


    QUOTE
    A WORM described as the "new Doomsday" was unlikely to pose a large risk, according to the anti-virus vendor who reported it. Symantec senior technical director Tim Hartman downplayed a report about the "Evaman" mass mailer worm in a Sydney newspaper report today, in which he was quoted saying it could be "every bit as bad as MyDoom". "We don't think it'll spread as fast as MyDoom," Mr Hartman said of comparisons with the notorious worm which appeared earlier this year.

    "It's just a mass mailer worm... the only similarity that we really have is the fact that the message in the email is very similar to Mydoom - it says 'failed to deliver this message' and conditions the user to open up the message and see which message failed."

    The worm, dubbed W32.Evaman@mm by Symantec, searches Yahoo!'s email address directory and tries to email itself to resulting addresses by connecting to a dozen different outgoing mail servers. Most of the mail servers it tries to contact are operated by large US ISPs and telcos such as AT&T, Earthlink and MSN - which are are unlikely to allow open relay senders. MyDoom, like many other mass mailers, installed its own SMTP engine to send out copies of itself.



    The Mul
     
Loading...
Thread Status:
Not open for further replies.