Unknown Virus

[Raz316]

Afternoon.

From about 11 this morning, we have been getting emails in from random (though probably real) addresses. The only reason they were blocked at the mail server was because they contained .exe files. As far as I can tell the attachments are just randomly named...

btpea.exe
mcfptopht.exe
fvkxh.exe
idkkcqh.exe
sjn.exe

Any idea which virus this is? I had a look on Symantec.com but none of the newer ones describe randomly named attachments.

ta!

[Tomahawk]

Could possibly be MyDoom as that renames attachments randomly....and it sends you loads of emails from different addresses...

[Raz316]

Ta! Yeah it could be, but it would be wierd if it was because we have been blocking it (i.e. the Mailserver AV recognising it is MyDoom) for a while now.

[directhex]

zip it, password the zip as INFECTED, send it to virus_research@nai.com

it might not be new, but at the very least they mail you back to tell you waht it was

http://us.mcafee.com/root/faqs.asp?faq=453

[Raz316]

I may just do that, thanks. The e-mails are currently just deleted, so when I can be arsed to get up and wander to the server room I'll change whats needed to get a copy.

[Jiff Lemon]

Nope, variation of W32/Bagle-B.

Description:
W32/Bagle-B is a mass-mailing worm that also installs a back door server on compromised systems.The worm arrives in a message with the following characteristics:
Subject line: ID <random characters>... thanks
Message text:Yours ID <random characters>--Thank
Attached file: <Randomly_generated_name>.exe
When executed, it performs the following actions:
Launches sndrec32.exe, the Windows Sound Recorder.
Copies itself to %System%\au.exe.
Adds the value: "au.exe"="%System%\au.exe" to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runso that the worm runs when starting Windows.
Adds the key: HKEY_CURRENT_USER\SOFTWARE\Windows2000
The virus listens on TCP port 8866 for remote connections. A notification is sent to the author(s) via HTTP Port 80. A GET request (containing the port number and "id") is sent to a PHP script on remote server(s):www.47df.dewww.strato.deintern.games-ring.de·
Note - W32/Bagle-B is coded to stop on February 25th, 2004.

[Raz316]

Ooo that be the one

Thanks mr!

EDIT> Just showed up on Symantec as W32.Alua@mm with a rating of 3 already : o