Evaman.A Worm

[Meehowski]

Posted by harrywaldron - 07-5-04 08:34 - 0 comments

Hopefully, this new threat will remain low risk and users are safe as long as SCR or EXE attachments are not opened.

Evaman.A worm - new polymorphic mass mailer

http://secunia.com/virus_information/10429/

http://vil.nai.com/vil/content/v_126563.htm

http://www.sophos.com/virusinfo/analyses/w32evamana.html

http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=39513

http://www.sarc.com/avcenter/venc/data/[email protected]

W32.Evaman@mm is a mass-mailing worm that spreads to addresses found at the website email.people.yahoo.com. This worm arrives as an attachment with a .exe or .scr extension.

SUBJECT OF EMAIL MESSAGE

returned mail

failure delivery

failed transaction

server error

mail failure

Delivery Status (Failure)

TEXT OF EMAIL MESSAGE

This is an automatically generated Delivery Status Notification.

Delivery to last recipient failed.

Email returned as attachment text file.

Message from Mail Delivery Server.

Unable to deliver message to last recipient.

Email returned as text file.

Email returned by the server as ASCII Text mail file.

To read the email download the included attachment.

Mail Server Notice:

Last email sent could not reach intented destination.

Email returned as ASCII text file.

The last email sent by this account could not reach intended destination.

Email has been returned as text file attachment.

Mail Delivery Status Notification:

Message returned by server. Message returned as text file attachment.

ATTACHMENT NAMES

body

message

email

returned

text

document

ATTACHMENT EXTENSIONS

*.scr

*.txt.scr

*.html.scr

*.outlook.scrtxt.exe

RELATED ARTICLE

QUOTE

A WORM described as the "new Doomsday" was unlikely to pose a large risk, according to the anti-virus vendor who reported it. Symantec senior technical director Tim Hartman downplayed a report about the "Evaman" mass mailer worm in a Sydney newspaper report today, in which he was quoted saying it could be "every bit as bad as MyDoom". "We don't think it'll spread as fast as MyDoom," Mr Hartman said of comparisons with the notorious worm which appeared earlier this year.

"It's just a mass mailer worm... the only similarity that we really have is the fact that the message in the email is very similar to Mydoom - it says 'failed to deliver this message' and conditions the user to open up the message and see which message failed."

The worm, dubbed W32.Evaman@mm by Symantec, searches Yahoo!'s email address directory and tries to email itself to resulting addresses by connecting to a dozen different outgoing mail servers. Most of the mail servers it tries to contact are operated by large US ISPs and telcos such as AT&T, Earthlink and MSN - which are are unlikely to allow open relay senders. MyDoom, like many other mass mailers, installed its own SMTP engine to send out copies of itself.

http://www.dozleng.com/index.php