|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: WORM_MIMAIL.A Anyone have any info on what this does yet?
From: att13543 (skid
attglobal.net)
Date: Mon Aug 04 2003 - 08:53:53 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I'd be interested if anyone can correlate what I've seen: we have 2 MX
records, one weighted at 10 (primary) and one at 20 (secondary). Of the
200 or so MiMail's we've seen 100% have come through our SECONDARY mail
server. Maybe the SMTP engine was written poorly, or maybe it was this
way on purpose?
-----Original Message-----
From: Butterworth, James J. EWC (C3F J39)
[mailto:james.butterworthc3f.navy.mil]
Sent: Friday, August 01, 2003 7:43 PM
To: Jay Woody; incidentssecurityfocus.com
Subject: RE: WORM_MIMAIL.A Anyone have any info on what this does yet?
There is a list of SMTP servers that, once infected, the virus will scan
the infected system looking for valid emails, store it in "eml.tmp"
C:\windows dir, and once it senses an internet connection will forward
itself to everyone in the eml.tmp file via those external SMTP servers.
The virus writes the following key to make sure it runs at start up:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunVideoDriver=C:=Windows
directory\videodrv.exe
Check for:
C:\Windows\videodrv.exe (payload)
C:\Windows\eml.tmp (list of emails the payload found to send itself to)
c:\Windows\foo.exe (installation file)
r/Jim Butterworth
> -----Original Message-----
> From: Jay Woody [SMTP:jay_woodytnb.com]
> Sent: Friday, August 01, 2003 11:54 AM
> To: incidentssecurityfocus.com
> Subject: RE: WORM_MIMAIL.A Anyone have any info on what this does
yet?
>
> We are just dropping everything from admintnb.com. This message
> seems to always use admin as the "From:" field and just append our
> company name to it. We will probably also use another piece of
> equipment to do a subject line drop also.
>
> http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=1005
> 23
>
> JayW
>
> >>> "Schmehl, Paul L" <paulsutdallas.edu> 08/01/03 01:16PM >>>
> <http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.a
> mm
>
> .html>
>
> We're blocking message.zip at the gateway.
>
> Paul Schmehl (paulsutdallas.edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/~pauls/
>
> > -----Original Message-----
> > From: Danny [mailto:drh26drexel.edu]
> > Sent: Friday, August 01, 2003 12:56 PM
> > To: incidentssecurityfocus.com
> > Subject: WORM_MIMAIL.A Anyone have any info on what this does yet?
> >
> >
> > We are getting flooded with these little puppies, does anyone
> > have any
> > additional info on what this thing does once it infects a
> > host? I'll be infecting a box to test myself after i send
> > this email but if
> > anyone has done testing already it would great to hear your input.
>
> ----------------------------------------------------------------------
> -----
>
------------------------------------------------------------------------
----
>
>
>
>
> ----------------------------------------------------------------------
> -----
>
------------------------------------------------------------------------
----
>
------------------------------------------------------------------------
---
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]