Matt Kolb, who heads the mail team for ACNS, looked into this new threat this morning and has got mail.msu.edu blocking transmission of it. He's submitted it to the anti-virus consortium MSU participates in. Matt may be able to supply more information. If anyone has links to threat assessments of this one from the anti-virus industry that would be good to know. /rich On 1/27/06, Bryan Murphy <[log in to unmask]> wrote: > > I just received an email that looks fairly legit at first glance. It > states > that a rape occurred on campus and that attached you will find an image of > the suspect as captured from campus CCTV. The attached file (suspect > image.exe) very well may be a virus (im sure as heck not going to run it > to > find out). Mail.msu.edu's clam did not pick it up nor did NAV10 with dats > dated yesterday. > > I am not able to pull much useful information from the exe via the unix > strings command or ida pro. If anyone has any more experience then I do > with virus disassembly I would be happy to forward the idapro file. > > What I am able to pull from ida's hex view is some registry writing, file > deletion, file creation and process manipulation, but no details. > > The contents of the email are attached bellow, you may want to warn your > users on this (although I'm not sure how prevalent it is yet). > > Thanks. > > /----------------------------------------- > | Bryan Murphy, CISSP > | Information Technology Coordinator > | MSU Plant Research Lab and Plant Biology > | http://infotech.prl.msu.edu > \----------------------------------------- > > > > > ------------------------------/ suspect mail /------------------ > > Return-path: <[log in to unmask]> > X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on > sys21.mail.msu.edu > X-Spam-Level: * > X-Spam-Status: No, score=1.7 required=5.0 tests=DATE_IN_FUTURE_06_12, > MIME_BOUND_NEXTPART autolearn=disabled version=3.1.0 > Envelope-to: [log in to unmask] > Delivery-date: Fri, 27 Jan 2006 12:00:45 -0500 > Received: from client-82-19-18-185.mant.adsl.ntlworld.com ([82.19.18.185] > helo=southern.edu) > by sys21.mail.msu.edu with smtp (Exim 4.52 #1) > id 1F2WxA-00089q-69 > for [log in to unmask]; Fri, 27 Jan 2006 12:00:45 -0500 > From: "Mr Robert Atkins" <[log in to unmask]> > To: <[log in to unmask]> > Subject: Rape on Campus > Date: Fri, 27 Jan 2006 17:00:03 -0800 > MIME-Version: 1.0 > Content-Type: multipart/mixed; > boundary="----=_NextPart_8735D9CD401142400612F4268" > X-Priority: 3 > X-Virus: None found by Clam AV > > > > Hello, > > During the early morning of January 25 2006, a campus student was the > victim > of a horrific sexual assault within college grounds. Eyewitnesses report a > tall black man in grey pants running away from the scene. Campus CCTV has > caught this man on camera and are looking for ways to identify him. If > anyone recognises the attached picture could they inform administraion > immediatly > > > Regards, > > Robert Atkins > Campus Administration > > > > All information contained within this e-mail, including any attachment, is > confidential. If you have received this e-mail in error, please delete it > immediately. Do not use, disclose or spread the information in any way and > notify the sender immediately. Any views and opinions expressed in this > e-mail may not represent those of Business Monthly >