RE: WORM_MIMAIL.A Anyone have any info on what this does yet?

["att13543" <[EMAIL PROTECTED]>]

Seems like the behavior is pretty much universal.  Since the posting,
I've received two messages through the low weight / primary mail server;
however, they were in quarantine.  Thinking they might be the original
spam message, I checked the SMTP header and found out they were actually
forwarded from a user's outside account.  I should have known, the
sender wasn't [EMAIL PROTECTED]

-----Original Message-----
From: James C. Slora, Jr. [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 04, 2003 11:56 AM
To: att13543
Subject: RE: WORM_MIMAIL.A Anyone have any info on what this does yet?

att13543 wrote Monday, August 04, 2003 9:54 AM

> I'd be interested if anyone can correlate what I've seen:  we have 2
MX
> records, one weighted at 10 (primary) and one at 20 (secondary).  Of
the
> 200 or so MiMail's we've seen 100% have come through our SECONDARY
mail
> server.  Maybe the SMTP engine was written poorly, or maybe it was
this
> way on purpose?

All of ours were sent to one specific mail server that is way down the
priority list.

This matches previous spammed email malware patterns, and I cannot
recall any previous worm that looked up all the mail servers and used
the lowest-priority one. I'm guessing that the ones we have received
were sent by the worm distributors rather than from infected machines.
I've dropped them all before the full headers were delivered, so I don't
have any way to positively verify this theory.

AV vendor descriptions say the worm takes SMTP server info from the
infected computer, which is inconsistent with copies arriving through a
low-priority mail server that user are not aware of.

Has anyone examined the message headers to see if there is a detectable
difference between messages coming from an infected system and those
spammed by the worm author?


---------------------------------------------------------------------------
----------------------------------------------------------------------------