I just received an email that looks fairly legit at first glance. It states that a rape occurred on campus and that attached you will find an image of the suspect as captured from campus CCTV. The attached file (suspect image.exe) very well may be a virus (im sure as heck not going to run it to find out). Mail.msu.edu's clam did not pick it up nor did NAV10 with dats dated yesterday. I am not able to pull much useful information from the exe via the unix strings command or ida pro. If anyone has any more experience then I do with virus disassembly I would be happy to forward the idapro file. What I am able to pull from ida's hex view is some registry writing, file deletion, file creation and process manipulation, but no details. The contents of the email are attached bellow, you may want to warn your users on this (although I'm not sure how prevalent it is yet). Thanks. /----------------------------------------- | Bryan Murphy, CISSP | Information Technology Coordinator | MSU Plant Research Lab and Plant Biology | http://infotech.prl.msu.edu \----------------------------------------- ------------------------------/ suspect mail /------------------ Return-path: <[log in to unmask]> X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on sys21.mail.msu.edu X-Spam-Level: * X-Spam-Status: No, score=1.7 required=5.0 tests=DATE_IN_FUTURE_06_12, MIME_BOUND_NEXTPART autolearn=disabled version=3.1.0 Envelope-to: [log in to unmask] Delivery-date: Fri, 27 Jan 2006 12:00:45 -0500 Received: from client-82-19-18-185.mant.adsl.ntlworld.com ([82.19.18.185] helo=southern.edu) by sys21.mail.msu.edu with smtp (Exim 4.52 #1) id 1F2WxA-00089q-69 for [log in to unmask]; Fri, 27 Jan 2006 12:00:45 -0500 From: "Mr Robert Atkins" <[log in to unmask]> To: <[log in to unmask]> Subject: Rape on Campus Date: Fri, 27 Jan 2006 17:00:03 -0800 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_8735D9CD401142400612F4268" X-Priority: 3 X-Virus: None found by Clam AV Hello, During the early morning of January 25 2006, a campus student was the victim of a horrific sexual assault within college grounds. Eyewitnesses report a tall black man in grey pants running away from the scene. Campus CCTV has caught this man on camera and are looking for ways to identify him. If anyone recognises the attached picture could they inform administraion immediatly Regards, Robert Atkins Campus Administration All information contained within this e-mail, including any attachment, is confidential. If you have received this e-mail in error, please delete it immediately. Do not use, disclose or spread the information in any way and notify the sender immediately. Any views and opinions expressed in this e-mail may not represent those of Business Monthly