Aliases: W32/[EMAIL PROTECTED], Worm_Mimail.C, W32/Mimail-C, Mimail.C
Description of Incident
The Mimail worm is today spreading in moderate numbers. The worm is a mass mailer, with an attached zip file (photos.zip), which contains the executable file photos.jpg.exe. The file cannot run without the user extracting the executable andrunning it. The worm fakes the sender's e-mail address by composing it from 'james@' and the domain name of a recipient. The worm tries to perform a DDoS (Distributed Denial of Service) attack on the following sites:
darkprofits.com
darkprofits.net
www.darkprofits.com
www.darkprofits.netSubject:
Re[2]: our private photos <random letters>
Attachments:
photos.zip
Message body:
Hello Dear!
Finaly i've found possibility to right u, my lovely girl All our photos which i've made at the beach (even when u're without ur bh:)) photos are great! This evening i'll come and we'll make the best SEX
Right now enjoy the photos.
Kiss, James.
Severity: Medium Incidence: Medium Potential impact: Low
Avoidance Action:
We have received reports that the attachment passed through a File Detector scenario on MAILsweeper for SMTP 4.3.10 and earlier.
As a precaution we advise possibly affected customers to apply a Text Analyzer scenario using the string "possibility to right" as this constant appears in the message and is unlikely to generate false positives.
Other customers should be fully protected by blocking executable file types.
Antivirus updates should be applied where available.
Reference Links:
If any of the links below extend over a single line in your mail client, cut and paste the entire URL.
<http://www.sophos.com/virusinfo/analyses/w32mimailc.html> <http://www.avp.ch/avpve/worms/email/mimailc.stm> <http://www.symantec.com/avcenter/venc/data/[EMAIL PROTECTED]> <http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL .C> <http://vil.nai.com/vil/content/v_100795.htm> <http://www.f-secure.com/v-descs/bics.shtml>
Pete Simpson ThreatLab Manager ------------------------------------------------------------------------------------------------------------------------------------------------ Dear Subscriber,
Over the weekend variants D, E, F, G and H of the W32/Mimail mass mailing worm were identiifed in the wild, but did not generally spread in significant numbers. These variants are of particular interest to MAILsweeper for SMTP users due to malformation of the zip file attachments.
We have seen samples of the zip files (all called readnow.zip and containing readnow.doc.scr) that are deliberately malformed and may be classified as binary by MAILsweeper.
We advise any customers who are not already doing so to block the attachments with a File Detector scenario, using the explicit masks "photos.zip" and "readnow.zip".
Work is under way to provide a patch to enable correct decomposition of similarly malformed zip files and customers will be advised of availability in due course.
Pete Simpson ThreatLab Manager ------------------------------------------------------------------------------------------------------------------------------------------------
_________________________________________________________________
Crave some Miles Davis or Grateful Dead? Your old favorites are always playing on MSN Radio Plus. Trial month free! http://join.msn.com/?page=offers/premiumradio
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
