New Virus?

I just received an email that looks fairly legit at first glance. It states
that a rape occurred on campus (being that I work at a university this makes sense) and that attached you will find an image of
the suspect as captured from campus CCTV. The attached file (suspect
image.exe) very well may be a virus (im sure as heck not going to run it to
find out). My university ‘s clamav did not pick it up nor did NAV10 with dats
dated yesterday.

I am not able to pull much useful information from the exe via the unix
strings command or ida pro. If anyone has any more experience then I do
with virus disassembly I would be happy to forward the idapro file.

What I am able to pull from ida ‘s hex view is some registry writing, file
deletion, file creation and process manipulation, but no details.

The contents of the email are attached bellow, you may want to warn your
users on this (although I ‘m not sure how prevalent it is yet).

—————————

Return-path:
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on
sys21.mail.msu.edu
X-Spam-Level: *
X-Spam-Status: No, score=1.7 required=5.0 tests=DATE_IN_FUTURE_06_12,
MIME_BOUND_NEXTPART autolearn=disabled version=3.1.0
Envelope-to: XXXXXXX@msu.edu
Delivery-date: Fri, 27 Jan 2006 12:00:45 -0500
Received: from client-82-19-18-185.mant.adsl.ntlworld.com ([82.19.18.185]
helo=southern.edu)
by sys21.mail.msu.edu with smtp (Exim 4.52 #1)
id 1F2WxA-00089q-69
for XXXXXXX@msu.edu; Fri, 27 Jan 2006 12:00:45 -0500
From: “Mr Robert Atkins”
To:
Subject: Rape on Campus
Date: Fri, 27 Jan 2006 17:00:03 -0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=”—-=_NextPart_8735D9CD401142400612F4268″
X-Priority: 3
X-Virus: None found by Clam AV

Hello,

During the early morning of January 25 2006, a campus student was the victim
of a horrific sexual assault within college grounds. Eyewitnesses report a
tall black man in grey pants running away from the scene. Campus CCTV has
caught this man on camera and are looking for ways to identify him. If
anyone recognises the attached picture could they inform administraion
immediatly

Regards,

Robert Atkins
Campus Administration

All information contained within this e-mail, including any attachment, is
confidential. If you have received this e-mail in error, please delete it
immediately. Do not use, disclose or spread the information in any way and
notify the sender immediately. Any views and opinions expressed in this
e-mail may not represent those of Business Monthly

Leave a Reply