Jump to content
  • Create an account or sign in to get involved

    Create an account

    Ask questions, share experiences and connect.

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now
Sign in to follow this  

new email worm - please read

Rate this topic

Recommended Posts

Please be on the safe side and read the below information about the latest email worm. This worm must really be making it's rounds quickly, because I've already received 2 of these emails. Please realize you DONT even have to download anything from the email to get the worm....that's what makes it so sneaky. When you open the email, it looks like an innocent letter with a link. The link is what triggers the worm. DO NOT CLICK IT!!!

The virus spreads by sending email messages to addresses found on the local system, as well as addresses constructed by the virus. The message appears as follows:


Spoofed address (may be

exchange-robot@paypal.com when sending paypal message body below)








Hi! I am looking for new friends.

My name is Jane, I am from Miami, FL.

See my homepage with my weblog and last webcam photos!

See you! 


Hi! I am looking for new friends. I am from Miami, FL. You can see my homepage with my last webcam photos! 

The mail header may contain one of the following fields:

X-AntiVirus: scanned for viruses by AMaViS 0.2.1 (http://amavis.org/)

X-AntiVirus: Checked by Dr.Web (http://www.drweb.net)

X-AntiVirus: Checked for viruses by Gordano's AntiVirus Software

There is no attachment to the message. The homepage or link hyperlink points to the infected system which sent the email message. Clicking on the link, accesses a web server running on the compromised system. The web server serves HTML that contains IFRAME buffer overflow code to automatically execute the virus

Infected systems will show Windows Explorer listening on TCP Port 1639, the port the web server runs on.

When a user follows a hyperlink sent by the virus, they are connected with the infected computer (http:// IP address of infected host that sent the email message :1639/index.htm). The webcam.htm page that is served results in a buffer overflow occuring in Internet Explorer. Shell code then executes, which instructs the local machine to download a remote file (http:// IP address :1639/reactor) and save it to a local file %desktop%\vv.dat and then execute the downloaded file.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  
    • 3 Posts
    • 1 Posts
    • 3 Posts
    • 6 Posts
    • 4 Posts

  • Create New...