Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


RE: WORM_MIMAIL.A Anyone have any info on what this does yet?
.

  • To: "att13543" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
  • Subject: RE: WORM_MIMAIL.A Anyone have any info on what this does yet?
  • From: "James C. Slora, Jr." <[EMAIL PROTECTED]>
  • Date: Tue, 5 Aug 2003 16:15:36 -0400
  • Thread-index: AcNbjlTNSihqjrwzSdGVqnsVG3MO8A==
  • Thread-topic: WORM_MIMAIL.A Anyone have any info on what this does yet?
.
 
Thanks - I see the same in additional copies that arrived yesterday. It
does look like the worm favors high-weight servers, whether by design or
by mistake. Not a single one has come to the primary mail server.


> -----Original Message-----
> From: att13543 [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, August 05, 2003 1:26 PM
> To: James C. Slora, Jr.; [EMAIL PROTECTED]
> Subject: RE: WORM_MIMAIL.A Anyone have any info on what this does yet?
> 
> 
> Seems like the behavior is pretty much universal.  Since the posting,
> I've received two messages through the low weight / primary 
> mail server;
> however, they were in quarantine.  Thinking they might be the original
> spam message, I checked the SMTP header and found out they 
> were actually
> forwarded from a user's outside account.  I should have known, the
> sender wasn't [EMAIL PROTECTED]
> 
> -----Original Message-----
> From: James C. Slora, Jr. [mailto:[EMAIL PROTECTED] 
> Sent: Monday, August 04, 2003 11:56 AM
> To: att13543
> Subject: RE: WORM_MIMAIL.A Anyone have any info on what this does yet?
> 
> att13543 wrote Monday, August 04, 2003 9:54 AM
> 
> > I'd be interested if anyone can correlate what I've seen:  we have 2
> MX
> > records, one weighted at 10 (primary) and one at 20 (secondary).  Of
> the
> > 200 or so MiMail's we've seen 100% have come through our SECONDARY
> mail
> > server.  Maybe the SMTP engine was written poorly, or maybe it was
> this
> > way on purpose?
> 
> All of ours were sent to one specific mail server that is way down the
> priority list.
> 
> This matches previous spammed email malware patterns, and I cannot
> recall any previous worm that looked up all the mail servers and used
> the lowest-priority one. I'm guessing that the ones we have received
> were sent by the worm distributors rather than from infected machines.
> I've dropped them all before the full headers were delivered, 
> so I don't
> have any way to positively verify this theory.
> 
> AV vendor descriptions say the worm takes SMTP server info from the
> infected computer, which is inconsistent with copies arriving 
> through a
> low-priority mail server that user are not aware of.
> 
> Has anyone examined the message headers to see if there is a 
> detectable
> difference between messages coming from an infected system and those
> spammed by the worm author?
> 
> 

---------------------------------------------------------------------------
----------------------------------------------------------------------------
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.