CRIME FW: Cyber Advisory from our NY Partners

From: George Heuston (geoneve@private)
Date: Tue Nov 18 2003 - 10:35:43 PST

  • Next message: A.J. Weinzettel: "CRIME Multiple breakins, but can't figure out how"

    -----Original Message-----
    From: Gregg Shankle [mailto:Gregg.Shankle@private] 
    Sent: Tuesday, November 18, 2003 8:24 AM
    To: boyd_r@private; geoneve@private;
    infragard.portland@private; Chris Aldrich; David C Yandell; Barbara A
    Jensen; Michael S Curtis; Phyllis Michael; Steve Payne; Abe Yoakum; Pat
    Pope; RAMAKRISHNAN Ranjit; Steve Ollis; zot@private
    Cc: John Salle
    Subject: Cyber Advisory from our NY Partners
    
    NEW YORK STATE OFFICE OF CYBER SECURITY AND CRITICAL INFRASTRUCTURE
    COORDINATION CYBER ADVISORY
    
     
    
    SUBJECT: 
    
     Update - Two W32.Mimail@mm variants proliferating in the wild at an
    increasing rate.
    
     
    
    OVERVIEW:
    
    On October 31, 2003 CSCIC posted an advisory related to
    W32.Mimail.C@mm.
    http://www.cscic.state.ny.us/advisories/oct03/10_31.htm  
    
     
    
    The latest two Mimail variants are being reported as spreading in the
    wild.  These mass-mailing worms attempt to steal personal information
    through social engineering techniques.
    
     
    
    SYSTEMS AFFECTED: 
    
    Microsoft Windows 2000
    Microsoft Windows NT 4.0
    Microsoft Windows Server 2003
    Microsoft Windows 95/98/Me/XP
    
     
    
    Risk:
    
    *	Government: 
    
    - Large and medium government entities: Medium 
    
    - Small government entities: High
    
    *	Businesses: 
    
    - Large and medium businesses: Medium     
    - Small businesses: High
    
    *	Home users:  High 
    
     
    
    DESCRIPTION:
    
    W32.Mimail.J@mm
    
    This mass-mailing worm is received in the form of an email with an
    attachment containing a series of forms, requesting the user to submit
    sensitive credit card and other personal information in order to
    update
    a non-existing account.
    
     
    
    W32.Mimail.I@mm
    
    W32.Mimail.I@mm is similar to W32.Mimail.J@mm in terms of
    functionality;
    however, there have been fewer reports of its existence in the wild at
    this time. 
    
     
    
    Both W32.Mimail.I@mm and W32.Mimail.J@mm messages appear to be
    generated
    from www.paypal.com <http://www.paypal.com/>  which is an online
    payment
    service.
    
     
    
    RECOMMENDATIONS: 
    
    *	Filter messages that contain the text "From:
    Do_Not_Reply@private" 
    *	Filter .exe and .pif files at the mail gateway if these file
    types are not required for business operation 
    *	Instruct user population to not open any applications that are
    emailed to them from untrusted sources 
    *	Instruct user population to report any email that is received
    that appears to be from Paypal and to not open this email 
    *	Verify that your firewall is blocking inbound and outbound port
    25 (SMTP) connections, except to and from external mail gateways 
    *	Review firewall logs for hosts attempting to send email
    directly
    (not using the SMTP gateway) and examine these hosts, as this behavior
    may be a secondary indicator of infection with a mass-mailing worm
    that
    uses its own SMTP engine 
    
     
    
    REFERENCES:
    
    Symantec:
    
    http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.j@mm.
    html
    
    http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.i@mm.
    html
    
     
    
    McAfee: 
    
    http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100825
    
    
    http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100822
    
    
     
    
    Trend Micro:
    
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIM
    
    AIL.J
    <http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MI
    
    MAIL.J> 
    
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIM
    
    AIL.I
    <http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MI
    
    MAIL.I> 
    
     
    
    CSCIC:
    
    http://www.cscic.state.ny.us/advisories/oct03/10_31.htm 
    
     
    
     
    
    NYS Cyber Security & Critical Infrastructure
    
    30 South Pearl Street, Suite P2
    
    Albany, NY 12207
    
    (518) 474-0865
    
     
    
     
    
     
    



    This archive was generated by hypermail 2b30 : Tue Nov 18 2003 - 11:37:33 PST