Print

---

Matt Kolb, who heads the mail team for ACNS, looked into this new threat this morning and has got mail.msu.edu blocking transmission of it.  He's submitted it to the anti-virus consortium MSU participates in.  Matt may be able to supply more information.

 

If anyone has links to threat assessments of this one from the anti-virus industry that would be good to know.

 

/rich

 

On 1/27/06, Bryan Murphy <[log in to unmask]> wrote:

I just received an email that looks fairly legit at first glance. It states
that a rape occurred on campus and that attached you will find an image of
the suspect as captured from campus CCTV.  The attached file (suspect
image.exe) very well may be a virus (im sure as heck not going to run it to
find out).  Mail.msu.edu's clam did not pick it up nor did NAV10 with dats
dated yesterday.

I am not able to pull much useful information from the exe via the unix
strings command or ida pro.  If anyone has any more experience then I do
with virus disassembly I would be happy to forward the idapro file.

What I am able to pull from ida's hex view is some registry writing, file
deletion, file creation and process manipulation, but no details.

The contents of the email are attached bellow, you may want to warn your
users on this (although I'm not sure how prevalent it is yet).

Thanks.

/-----------------------------------------
| Bryan Murphy, CISSP
| Information Technology Coordinator
| MSU Plant Research Lab and Plant Biology
| http://infotech.prl.msu.edu
\-----------------------------------------




------------------------------/ suspect mail /------------------

Return-path: < [log in to unmask]>
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on
sys21.mail.msu.edu
X-Spam-Level: *
X-Spam-Status: No, score=1.7 required=5.0 tests=DATE_IN_FUTURE_06_12,
   MIME_BOUND_NEXTPART autolearn=disabled version=3.1.0
Envelope-to: [log in to unmask]
Delivery-date: Fri, 27 Jan 2006 12:00:45 -0500
Received: from client-82-19-18-185.mant.adsl.ntlworld.com ([82.19.18.185]
helo=southern.edu )
   by sys21.mail.msu.edu with smtp (Exim 4.52 #1)
   id 1F2WxA-00089q-69
   for [log in to unmask]; Fri, 27 Jan 2006 12:00:45 -0500
From: "Mr Robert Atkins" <[log in to unmask]>
To: <[log in to unmask]>
Subject: Rape on Campus
Date: Fri, 27 Jan 2006 17:00:03 -0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
   boundary="----=_NextPart_8735D9CD401142400612F4268"
X-Priority: 3
X-Virus: None found by Clam AV



Hello,

During the early morning of January 25 2006, a campus student was the victim
of a horrific sexual assault within college grounds. Eyewitnesses report a
tall black man in grey pants running away from the scene.  Campus CCTV has
caught this man on camera and are looking for ways to identify him.  If
anyone recognises the attached picture could they inform administraion
immediatly


Regards,

Robert Atkins
Campus Administration



All information contained within this e-mail, including any attachment, is
confidential. If you have received this e-mail in error, please delete it
immediately. Do not use, disclose or spread the information in any way and
notify the sender immediately. Any views and opinions expressed in this
e-mail may not represent those of Business Monthly