> Any time something like this happens, where a virus is not caught, we > compare the file that Declude Virus creates with the one created by a > standard mail client, just to be sure that it isn't something with the way > that Declude Virus is decoding the E-mail. In this case, though, that > wasn't even required -- F-Prot won't detect the virus in the file as saved > by a mail client. Since it is nearly impossible for a .ZIP file to be > corrupted (it has a CRC test built into the .ZIP file), we know that F-Prot > is seeing exactly what the virus writer wrote.
I wrote to F-Prot yesterday and here is the reply I got this morning ([EMAIL PROTECTED]): Hello and thank you for your mail. The Mimail.A worm started spreading this weekend and has already gained wide distribution. W32/[EMAIL PROTECTED] spreads by infected attachments to e-mail messages disguised as being from the recipient's local administrator. W32/[EMAIL PROTECTED] is detected and prevented from running with the latest versions of F-Prot Antivirus (released on 2-5 August 2003) using virus signature files dated 2 August 2003 or later. Windows users using the RealTime Protector were not in any danger from W32/[EMAIL PROTECTED] as the RealTime Protector stopped it from executing. We urge users of F-Prot Antivirus products to update their virus signature files and their programs as new versions become available and also to patch against the vulnerabilities used by W32/[EMAIL PROTECTED] with the patch available from Microsoft's site (http://www.microsoft.com/windows/ie/downloads/critical/330994/default.asp). W32/[EMAIL PROTECTED] details The e-mail's message is as follows: From: [EMAIL PROTECTED] Subject: your account : ( + 'random characters') Hello there, I would like to inform you about important information regarding your email address. This email address will be expiring. Please read attachment for details --- Best regards, Administrator Attachment: message.zip When opened, the attachment infects the computer by dropping an executable named foo.exe and running it, thereby also mailing itself to several addresses collected from the local hard drive. W32/[EMAIL PROTECTED] uses a vulnerability to create a copy of the worm in the Temporary Internet Files folder, and then run it. For information on this vulnerability and a patch visit: http://www.microsoft.com/technet/security/bulletin/MS03-014.asp Best regards, Kolbrun Valbergsdottir F-Prot Antivirus Tech Support [EMAIL PROTECTED] http://www.f-prot.com Tel: +354 540-7400 Fax: +354 540-7401 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
