Aug 4 2004
The email composed by the Evaman.A worm has the following characteristics:
The From address in the email is spoofed.
The To address is obtained from email.people.yahoo.com queries
The subject will be any one of the following:
- Delivery Status (Failure)
failed transaction
failure delivery
mail failure
returned mail
server error
The message body will be any one of the following:
- This is an automatically generated Delivery Status Notification.
Delivery to last recipient failed.
Email returned as attachment text file.
Message from Mail Delivery Server.
Unable to deliver message to last recipient.
Email returned as text file.
Email returned by the server as ASCII Text mail file.
To read the email download the included attachment.
Mail Server Notice:
Last email sent could not reach intented destination.
Email returned as ASCII text file.
The last email sent by this account could not reach intended destination.
Email has been returned as text file attachment.
Mail Delivery Status Notification:
Message returned by server. Message returned as text file attachment.
The attachment may be either an SCR or EXE and the filename is composed of two parts. The first part will be any one of the following:
- body
message
returned
text
document
The second part will be any one of the following:
- scr
txt.scr
html.scr
outlook.scrtxt.exe
For example, the message attachment may be 'body.scr' or 'returned.html.scr'
Next: Action on infection
