New MyWife worm?

[Gabriele Neukam]

I received a mail from Sri Lanka (I wrote only *one* letter to this
place, after Boxing Day), which is infected with nyxem.C, according to
Kaspersky's online scanner. Other AVC vendors call it Blueworm,
Blackmal, or MyWife. The descriptions don't exactly fit Blackmal.C, can
it be that this one is a new version?

The sender and subject are different from those give in the
descriptions of the version which circulated in september.

Header is:

Return-Path: <[email protected]>
Received: from mailin06.sul.t-online.de ([203.143.12.116]) by
mailin24.sul.t-online.de
with smtp id 1DFnFq-0qJguW0; Mon, 28 Mar 2005 07:57:38 +0200
From: "vip" <[email protected]>
To: (e-mail address removed)
Subject: hi
Date: 28 Mar 2005 12:01:16 +0600
MIME-Version: 1.0
X-TOI-SPAM: u;0;2005-03-28T05:57:57Z
X-TOI-VIRUSSCAN: unchecked
X-TOI-MSGID: 61c82350-d7c8-4c77-8179-a65f99fda218
X-Seen: true
X-Mailer: T-Online eMail 5.00.0035
Content-Type: multipart/mixed; boundary="--NextMimePart"

Inside are two links to external smilie gifs, a "Life.jpg" picture with
a topless woman who has somebody else's hand in her jeans (front side),
and an attachment called download3.pgzip.z


Gabriele Neukam

(e-mail address removed)

 

[Ian JP Kenefick]

I received a mail from Sri Lanka (I wrote only *one* letter to this
place, after Boxing Day), which is infected with nyxem.C, according to
Kaspersky's online scanner. Other AVC vendors call it Blueworm,
Blackmal, or MyWife. The descriptions don't exactly fit Blackmal.C, can
it be that this one is a new version?

The sender and subject are different from those give in the
descriptions of the version which circulated in september.

Header is:

Return-Path: <[email protected]>
Received: from mailin06.sul.t-online.de ([203.143.12.116]) by
mailin24.sul.t-online.de
with smtp id 1DFnFq-0qJguW0; Mon, 28 Mar 2005 07:57:38 +0200
From: "vip" <[email protected]>
To: (e-mail address removed)
Subject: hi
Date: 28 Mar 2005 12:01:16 +0600
MIME-Version: 1.0
X-TOI-SPAM: u;0;2005-03-28T05:57:57Z
X-TOI-VIRUSSCAN: unchecked
X-TOI-MSGID: 61c82350-d7c8-4c77-8179-a65f99fda218
X-Seen: true
X-Mailer: T-Online eMail 5.00.0035
Content-Type: multipart/mixed; boundary="--NextMimePart"

Inside are two links to external smilie gifs, a "Life.jpg" picture with
a topless woman who has somebody else's hand in her jeans (front side),
and an attachment called download3.pgzip.z

Why don't you send the file to (e-mail address removed) and see if it's
attributes match that of variant descriptions.
--

Regards,
Ian Kenefick
http://www.ik-cs.com
If you have a virus: www.ik-cs.com/got-a-virus.htm