|
-
December 13th, 2001, 11:25 AM
#1
 Grey03.eml and jpg file... Virus??????
I just came back from one of our clients offices where there are several computers that are Infected with a file named grey03.eml. I found 164 instances of this file as well as one file named Grey03.jpg (photo of a rather homely looking woman standing in front of a block wall) and several more of grey03.scr. I know the .eml is an e-mail file and .scr is a script file. Does anyone know what virus they are associated with??
Any help would be GREATLY appreciated.
-
December 13th, 2001, 01:38 PM
#2
Registered User
<a href="http://securityresponse.symantec.com/avcenter/venc/data/[email protected]" target="_blank">Nimda</a> uses the *.eml extension and you may also have a variant of <a href="http://securityresponse.symantec.com/avcenter/venc/data/[email protected]" target="_blank">goner</a> whiche uses *.scr.
Grey03.jpg is probably the file nimda emulated to start transferring itself. It did the same thing at my workplace with a couple of "good" files.
Good luck 
-
December 13th, 2001, 02:05 PM
#3
Thanks, Looks like Nimda.d is the culprit.
-
December 13th, 2001, 03:06 PM
#4
Registered User
[quote]Originally posted by *MAYHEM*:
<strong>Thanks, Looks like Nimda.d is the culprit.</strong><hr></blockquote>
Sorry to hear that.
My condolences for your weekend, as you'll probably be spending it cleaning out your servers and workstations
-
December 15th, 2001, 04:44 PM
#5
Registered User
Sorry I can't help it...
THE JOY of using Mcafee Groupshield for exchange....
-
December 15th, 2001, 06:56 PM
#6
Banned
It looks like these guys have you squared away. I just wanted to correct a mistake you made in your first post. The SCR file extension is typically associated with screen savers. I have not heard of its use with scripts.
-
December 16th, 2001, 01:12 AM
#7
Intel Mod
Yep, as a screensaver is an executable file, .SCR is likely to be used by malicious code since it is accepted by Windows as a default extension for executables.
-
December 16th, 2001, 05:12 AM
#8
Registered User
you can almost be sure about exe...
goto Command prompt (or the beloved DOS).
DO:
type filename.scr (exe, com whatever).
you can clearly see the Header is similar
MZ
Every compiled Executables gets this MZ header.
If I'm Correct this MZ is the Initials of the guy who first produced it.
-
December 17th, 2001, 02:36 PM
#9
Registered User
[quote]Originally posted by Gabriel:
<strong>Sorry I can't help it...
THE JOY of using Mcafee Groupshield for exchange....</strong><hr></blockquote>
You mean you do use Groupshield?
How do you like it against this type of virus infection?
-
December 17th, 2001, 09:59 PM
#10
Intel Mod
[quote]Originally posted by Gabriel:
<strong>
Every compiled Executables gets this MZ header.
If I'm Correct this MZ is the Initials of the guy who first produced it.</strong><hr></blockquote>
Yup, Mark Zbikowsi.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
Bookmarks