[cotteleer]Worm

Chris Cotteleer cacotteleer@cotteleer.com
Thu, 22 Jul 2004 09:27:52 -0500 

This is a multi-part message in MIME format.

------=_NextPart_000_0025_01C46FCE.2A430D40
Content-Type: multipart/alternative;
	boundary="----=_NextPart_001_0026_01C46FCE.2A430D40"


------=_NextPart_001_0026_01C46FCE.2A430D40
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit

Hi everybody.
 
Following is the Symantec info on the worm that seems to have gotten to
us.  Please delete any unknown Zip files that come your way.  Hopefully
this will pass in the next few hours.  If not, we can take more
aggressive actions.  
 
If you have already opened a Zip file and think you might be infected,
call me or go to www.symantec.com and get Norton antivirus to resolve
the problem.
 
Thanks,
 
Chris
 
 
 
W32.Beagle@mm!zip is a detection for password-protected .zip files that
carry executables belonging to the W32.Beagle@mm family of mass-mailing
worms. 

The .zip files may arrive as part of an email message with a spoofed
>From address. This address may sometimes be created using the local
domain, giving the appearance that it was sent from someone at the same
ISP or company as the recipient. For example, if your email address is
user@ispname.com, then the spoofed From address may be something like
support@ispname.com.

The following variants contain password-protected .zip files as email
attachments:


-----Original Message-----
From: lonnie@cotteleer.com [mailto:lonnie@cotteleer.com] 
Sent: Wednesday, July 21, 2004 3:29 PM
To: 'Cacotteleer'
Subject: RE: 



Chris,

 

What is this?  Before I open and install a mystery program, I like to
know this isn't some virus or Trojan horse that escaped from your
machine.

 

Thanks,

 

Lonnie

 

-----Original Message-----
From: Cacotteleer [mailto:cacotteleer@cotteleer.com] 
Sent: Wednesday, July 21, 2004 4:05 PM
To: Lonnie
Subject: Re:

 

>Screen and Music


Password: 


------=_NextPart_001_0026_01C46FCE.2A430D40
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<TITLE>Message</TITLE>

<META content=3D"MSHTML 6.00.2800.1400" name=3DGENERATOR>
<STYLE>@font-face {
	font-family: Tahoma;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.25in 1.0in 1.25in; }
P.MsoNormal {
	FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
LI.MsoNormal {
	FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
DIV.MsoNormal {
	FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
A:link {
	COLOR: blue; TEXT-DECORATION: underline
}
SPAN.MsoHyperlink {
	COLOR: blue; TEXT-DECORATION: underline
}
A:visited {
	COLOR: purple; TEXT-DECORATION: underline
}
SPAN.MsoHyperlinkFollowed {
	COLOR: purple; TEXT-DECORATION: underline
}
SPAN.EmailStyle17 {
	COLOR: navy; FONT-FAMILY: Arial
}
DIV.Section1 {
	page: Section1
}
</STYLE>
</HEAD>
<BODY lang=3DEN-US vLink=3Dpurple link=3Dblue>
<DIV><SPAN class=3D107022414-22072004><FONT face=3DArial color=3D#0000ff =
size=3D2>Hi=20
everybody.</FONT></SPAN></DIV>
<DIV><SPAN class=3D107022414-22072004><FONT face=3DArial color=3D#0000ff =

size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D107022414-22072004><FONT face=3DArial color=3D#0000ff =

size=3D2>Following is the Symantec info on the worm that seems to have =
gotten to=20
us.&nbsp; Please delete any unknown Zip files that come your way.&nbsp;=20
Hopefully this will pass in the next few hours.&nbsp; If not, we can =
take more=20
aggressive actions.&nbsp; </FONT></SPAN></DIV>
<DIV><SPAN class=3D107022414-22072004><FONT face=3DArial color=3D#0000ff =

size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D107022414-22072004><FONT face=3DArial color=3D#0000ff =
size=3D2>If you=20
have already opened a Zip file and think you might be infected, call me =
or go to=20
<A href=3D"http://www.symantec.com">www.symantec.com</A> and get Norton =
antivirus=20
to resolve the problem.</FONT></SPAN></DIV>
<DIV><SPAN class=3D107022414-22072004><FONT face=3DArial color=3D#0000ff =

size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D107022414-22072004><FONT face=3DArial color=3D#0000ff =

size=3D2>Thanks,</FONT></SPAN></DIV>
<DIV><SPAN class=3D107022414-22072004><FONT face=3DArial color=3D#0000ff =

size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D107022414-22072004><FONT face=3DArial color=3D#0000ff =

size=3D2>Chris</FONT></SPAN></DIV>
<DIV><SPAN class=3D107022414-22072004><FONT face=3DArial color=3D#0000ff =

size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D107022414-22072004></SPAN>&nbsp;</DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2></FONT>&nbsp;</DIV>
<DIV>W32.Beagle@mm!zip is a detection for password-protected .zip files =
that=20
carry executables belonging to the W32.Beagle@mm family of mass-mailing =
worms.=20
<BR><BR>The .zip files may arrive as part of an email message with a =
spoofed=20
>From address. This address may sometimes be created using the local =
domain,=20
giving the appearance that it was sent from someone at the same ISP or =
company=20
as the recipient. For example, if your email address is =
user@ispname.com, then=20
the spoofed From address may be something like =
support@ispname.com.<BR><BR>The=20
following variants contain password-protected .zip files as email=20
attachments:<BR></DIV>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
  <DIV></DIV>
  <DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr =
align=3Dleft><FONT=20
  face=3DTahoma size=3D2>-----Original Message-----<BR><B>From:</B>=20
  lonnie@cotteleer.com [mailto:lonnie@cotteleer.com] <BR><B>Sent:</B> =
Wednesday,=20
  July 21, 2004 3:29 PM<BR><B>To:</B> 'Cacotteleer'<BR><B>Subject:</B> =
RE:=20
  <BR><BR></FONT></DIV>
  <DIV class=3DSection1>
  <P class=3DMsoNormal><FONT face=3DArial color=3Dnavy size=3D2><SPAN=20
  style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: =
Arial">Chris,</SPAN></FONT></P>
  <P class=3DMsoNormal><FONT face=3DArial color=3Dnavy size=3D2><SPAN=20
  style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: =
Arial"></SPAN></FONT>&nbsp;</P>
  <P class=3DMsoNormal><FONT face=3DArial color=3Dnavy size=3D2><SPAN=20
  style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">What is =
this?&nbsp;=20
  Before I open and install a mystery program, I like to know this =
isn&#8217;t some=20
  virus or Trojan horse that escaped from your =
machine.</SPAN></FONT></P>
  <P class=3DMsoNormal><FONT face=3DArial color=3Dnavy size=3D2><SPAN=20
  style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: =
Arial"></SPAN></FONT>&nbsp;</P>
  <P class=3DMsoNormal><FONT face=3DArial color=3Dnavy size=3D2><SPAN=20
  style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: =
Arial">Thanks,</SPAN></FONT></P>
  <P class=3DMsoNormal><FONT face=3DArial color=3Dnavy size=3D2><SPAN=20
  style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: =
Arial"></SPAN></FONT>&nbsp;</P>
  <P class=3DMsoNormal><FONT face=3DArial color=3Dnavy size=3D2><SPAN=20
  style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: =
Arial">Lonnie</SPAN></FONT></P>
  <P class=3DMsoNormal><FONT face=3DArial color=3Dnavy size=3D2><SPAN=20
  style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: =
Arial"></SPAN></FONT>&nbsp;</P>
  <P class=3DMsoNormal style=3D"MARGIN-LEFT: 0.5in"><FONT face=3DTahoma =
size=3D2><SPAN=20
  style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Tahoma">-----Original=20
  Message-----<BR><B><SPAN style=3D"FONT-WEIGHT: bold">From:</SPAN></B>=20
  Cacotteleer [mailto:cacotteleer@cotteleer.com] <BR><B><SPAN=20
  style=3D"FONT-WEIGHT: bold">Sent:</SPAN></B> </SPAN></FONT><FONT =
face=3DTahoma=20
  size=3D2><SPAN style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Tahoma">Wednesday, July 21,=20
  2004</SPAN></FONT><FONT face=3DTahoma size=3D2><SPAN=20
  style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Tahoma"> </SPAN></FONT><FONT =
face=3DTahoma=20
  size=3D2><SPAN style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Tahoma">4:05=20
  PM</SPAN></FONT><FONT face=3DTahoma size=3D2><SPAN=20
  style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Tahoma"><BR><B><SPAN=20
  style=3D"FONT-WEIGHT: bold">To:</SPAN></B> Lonnie<BR><B><SPAN=20
  style=3D"FONT-WEIGHT: bold">Subject:</SPAN></B> Re:</SPAN></FONT></P>
  <P class=3DMsoNormal style=3D"MARGIN-LEFT: 0.5in"><FONT face=3D"Times =
New Roman"=20
  size=3D3><SPAN style=3D"FONT-SIZE: 12pt"></SPAN></FONT>&nbsp;</P>
  <P class=3DMsoNormal=20
  style=3D"MARGIN-BOTTOM: 12pt; MARGIN-LEFT: 0.5in; MARGIN-RIGHT: =
0in"><FONT=20
  face=3D"Times New Roman" size=3D3><SPAN style=3D"FONT-SIZE: =
12pt">&gt;Screen and=20
  Music<BR><BR><BR>Password: <IMG height=3D17 =
src=3D"cid:107022414@22072004-11E8"=20
  width=3D63></SPAN></FONT></P></DIV></BLOCKQUOTE></BODY></HTML>

------=_NextPart_001_0026_01C46FCE.2A430D40--

------=_NextPart_000_0025_01C46FCE.2A430D40
Content-Type: image/jpeg;
	name="image001.jpg"
Content-Transfer-Encoding: base64
Content-ID: <107022414@22072004-11E8>

/9j/4AAQSkZJRgABAQEAYABgAAD//gAcU29mdHdhcmU6IE1pY3Jvc29mdCBPZmZpY2X/2wBDAAoH
BwgHBgoICAgLCgoLDhgQDg0NDh0VFhEYIx8lJCIfIiEmKzcvJik0KSEiMEExNDk7Pj4+JS5ESUM8
SDc9Pjv/2wBDAQoLCw4NDhwQEBw7KCIoOzs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7
Ozs7Ozs7Ozs7Ozs7Ozs7Ozv/wAARCAARAD8DASIAAhEBAxEB/8QAGgABAAMAAwAAAAAAAAAAAAAA
AAMEBQIGB//EACkQAAIBBAEDAwMFAAAAAAAAAAECBAADBREGEhMhFDFBIlFhBxUjUpH/xAAYAQEA
AwEAAAAAAAAAAAAAAAAAAQMFAv/EACQRAAIBAQYHAAAAAAAAAAAAAAABEQIEEhMhMUEDIjJhcZHB
/90ABAAo/9oADAMBAAIRAxEAPwD2WsvkmZTj3HpmVdO56dNqn9mJCqP9IrUrL5Lhl5Dx2Zii4tmQ
gCud6VgQynx+QKu4GHi04nTKnxOZDmMirEzEuPiZk7IycbNWy/TZbHEgXG8DtkMxAYuekefke1ZU
PlWSl/p9Z5RekwIZW3de+jRXuByrlUVP5V0ToDyTske1WYXFJjyZ86bOMGRMkWbwtY9la3b7adI1
3E0d+5+n4H2qjC4Xlo3C8XgXmRrj2J6X5OyegWhcLlU0oJO9H6vkt51rWnSrKtWpvU7bQ7y0jXc4
5jlK5XnYsezYuWYC5C1ibmVmIUfo6FPi2v1eG9xvZGx7eas5XkWVVcTdxUmA5zTW/SRr0VyyoVDO
7P3BsKDvwu/IH5qXkvGZuSyN2djnjC5KxtzG3++zDptud9S6B2R58eN796mjccvxeRY2Slyz+343
GektJtu517A39tdKj53uoVdlu01pKYba+e4jsIqOxUpSscsFKUoBSlKAUpSgFKUoD//Z

------=_NextPart_000_0025_01C46FCE.2A430D40--