Monday, June 26, 2006


It's the first time that the ISSA organisation ( ) and I are organising a malware security event. Let's look together to the announcement.
The ISSA Brussels-European Chapter is proud to announce its next Security Event entitled:
"2006, The changing Battle: Next generation Malware."
What's the current situation concerning malwares circling around the Internet and what's ahead of us? You're welcome to find out during this presentation with possibility for an extensive Questions & Answers session with industry expert Eddy Willems.
This evening event will be held on Wednesday June 28th, 2006
(rest assured : there are really _no_ World Championship Football Matches scheduled on June 28th!!! ;-)
Agenda :
1800h : Welcome
1830h : "2006, The changing Battle : Next generation Malware" by Mr Eddy Willems, Anti-Virus Expert, NOXS and Director
Information & Press, EICAR
1930h : Questions & Answers session
1945h : closing drink with Networking opportunities
This event will be held in the NOXS Belgium Offices, Koningin Astridlaan, 59/10, 1780 WEMMEL.

Thursday, June 22, 2006

Consultancy can be hard ...

During my high-level consultancies I've got problems with traffic jams, fire alarms and even bomb attacks however sometimes I got lucky. My customer 'Modular' today won the Jupiler Blue Lunch Tournée Générale in cooperation with radiostation Q-Music. I got the possiblity to join them at a free lunch with free beer.

Wednesday, June 21, 2006

Bagles and Worldcup viruses.

I usually receive new Bagle variants once or twice a week but for the past one week we received a new Bagle once per day. Today's W32/Bagle.fb@mm arrives in email messages as a password protected archive and the password is included in the email body as a picture.

Since the FIFA World Cup is in progress, it's not such a surprise that another Soccer themed worm, W32/Sixem.a@mm , has been discovered. The worm sends itself in e-mails that look like they come from news at CNN, Hotmail or Yahoo! domains, and uses various subjects such as "Soccer fans killed five teens", "Crazy soccer fans", etc. This worm is not widely spread so please don't worry as we don't have an outbreak of this one!

Tuesday, June 13, 2006

Yamanner : JavaScript worm targetting Yahoo! Mail.

There has been some media attention on the new JavaScript worm Yamanner that targets Yahoo! webmail and groups. The "Yamanner" worm exploits a JavaScript vulnerability in Yahoo's Web mail. The worm targets addresses with the "" and "" domains, and arrives as an HTML message containing JavaScript. As soon as the recipient views the message, the script automatically runs to spread the worm to other users in the Yahoo address book. The message will have a From address of and a Subject: of "New Graphic Site." Harvested addresses from the address book are then submitted to a remote URL, which is likely to be used for a spam database. Yamanner won't execute on the newest Yahoo Mail Beta. Until Yahoo patches the flaw, I recommended users to steer clear of the service or disable the browser's JavaScript capabilities before reading any Web mail. This type of worm is not a surprise - it has been theorized a few years ago. Yamanner is however the first worm to be realized in the wild. Please note however that we don't see many cases of it right now as most vendors has already full detection.

Tuesday, June 06, 2006

Weird numbers emails???

I've received some questions on weird spam messages going around that look like this:
Subject: 586876
Body: 5556
Subject: 455
Body: 969
There seems to be lots of them going around, looking at some of the discussion on the topic at some newsgroups. The mails don't contain an attachment. There are only some strange numbers involved. The numbers keep changing though? So what are they? I'm not sure, but it might be that some botnet spammer is checking the quality of his email lists: finding out which messages bounce and which don't or maybe it was a glitch ... his finger pushed on the wrong button. Also spammers are humans aren't they?