 |
|
|
 Welcome to the Virus.Org Mailing List Archive |
||
 |
||
|
||
|
Ya know, I thought it was just a coincidence but I saw some instances of this going through our mail scanner and it seemed like it might have gone through a secondary MX also. We hadn't really dug into it but seeing somebody else mentioning it does make it look like it may be a design issue. I'm gonna dig into this a little more. -----Original Message----- From: att13543 [mailto:[EMAIL PROTECTED] Sent: Monday, August 04, 2003 9:54 AM To: [EMAIL PROTECTED] Subject: RE: WORM_MIMAIL.A Anyone have any info on what this does yet? I'd be interested if anyone can correlate what I've seen: we have 2 MX records, one weighted at 10 (primary) and one at 20 (secondary). Of the 200 or so MiMail's we've seen 100% have come through our SECONDARY mail server. Maybe the SMTP engine was written poorly, or maybe it was this way on purpose? -----Original Message----- From: Butterworth, James J. EWC (C3F J39) [mailto:[EMAIL PROTECTED] Sent: Friday, August 01, 2003 7:43 PM To: Jay Woody; [EMAIL PROTECTED] Subject: RE: WORM_MIMAIL.A Anyone have any info on what this does yet? There is a list of SMTP servers that, once infected, the virus will scan the infected system looking for valid emails, store it in "eml.tmp" C:\windows dir, and once it senses an internet connection will forward itself to everyone in the eml.tmp file via those external SMTP servers. The virus writes the following key to make sure it runs at start up: HKLM\Software\Microsoft\Windows\CurrentVersion\RunVideoDriver=C:=Windows directory\videodrv.exe Check for: C:\Windows\videodrv.exe (payload) C:\Windows\eml.tmp (list of emails the payload found to send itself to) c:\Windows\foo.exe (installation file) r/Jim Butterworth > -----Original Message----- > From: Jay Woody [SMTP:[EMAIL PROTECTED] > Sent: Friday, August 01, 2003 11:54 AM > To: [EMAIL PROTECTED] > Subject: RE: WORM_MIMAIL.A Anyone have any info on what this does yet? > > We are just dropping everything from [EMAIL PROTECTED] This message > seems to always use admin as the "From:" field and just append our > company name to it. We will probably also use another piece of > equipment to do a subject line drop also. > > http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=1005 > 23 > > JayW > > >>> "Schmehl, Paul L" <[EMAIL PROTECTED]> 08/01/03 01:16PM >>> > <http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.a@ > mm > > .html> > > We're blocking message.zip at the gateway. > > Paul Schmehl ([EMAIL PROTECTED]) > Adjunct Information Security Officer > The University of Texas at Dallas > AVIEN Founding Member > http://www.utdallas.edu/~pauls/ > > > -----Original Message----- > > From: Danny [mailto:[EMAIL PROTECTED] > > Sent: Friday, August 01, 2003 12:56 PM > > To: [EMAIL PROTECTED] > > Subject: WORM_MIMAIL.A Anyone have any info on what this does yet? > > > > > > We are getting flooded with these little puppies, does anyone > > have any > > additional info on what this thing does once it infects a > > host? I'll be infecting a box to test myself after i send > > this email but if > > anyone has done testing already it would great to hear your input. > > ---------------------------------------------------------------------- > ----- > ------------------------------------------------------------------------ ---- > > > > > ---------------------------------------------------------------------- > ----- > ------------------------------------------------------------------------ ---- > ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
|
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.