-----Original Message----- From: Gregg Shankle [mailto:Gregg.Shankle@private] Sent: Tuesday, November 18, 2003 8:24 AM To: boyd_r@private; geoneve@private; infragard.portland@private; Chris Aldrich; David C Yandell; Barbara A Jensen; Michael S Curtis; Phyllis Michael; Steve Payne; Abe Yoakum; Pat Pope; RAMAKRISHNAN Ranjit; Steve Ollis; zot@private Cc: John Salle Subject: Cyber Advisory from our NY Partners NEW YORK STATE OFFICE OF CYBER SECURITY AND CRITICAL INFRASTRUCTURE COORDINATION CYBER ADVISORY SUBJECT: Update - Two W32.Mimail@mm variants proliferating in the wild at an increasing rate. OVERVIEW: On October 31, 2003 CSCIC posted an advisory related to W32.Mimail.C@mm. http://www.cscic.state.ny.us/advisories/oct03/10_31.htm The latest two Mimail variants are being reported as spreading in the wild. These mass-mailing worms attempt to steal personal information through social engineering techniques. SYSTEMS AFFECTED: Microsoft Windows 2000 Microsoft Windows NT 4.0 Microsoft Windows Server 2003 Microsoft Windows 95/98/Me/XP Risk: * Government: - Large and medium government entities: Medium - Small government entities: High * Businesses: - Large and medium businesses: Medium - Small businesses: High * Home users: High DESCRIPTION: W32.Mimail.J@mm This mass-mailing worm is received in the form of an email with an attachment containing a series of forms, requesting the user to submit sensitive credit card and other personal information in order to update a non-existing account. W32.Mimail.I@mm W32.Mimail.I@mm is similar to W32.Mimail.J@mm in terms of functionality; however, there have been fewer reports of its existence in the wild at this time. Both W32.Mimail.I@mm and W32.Mimail.J@mm messages appear to be generated from www.paypal.com <http://www.paypal.com/> which is an online payment service. RECOMMENDATIONS: * Filter messages that contain the text "From: Do_Not_Reply@private" * Filter .exe and .pif files at the mail gateway if these file types are not required for business operation * Instruct user population to not open any applications that are emailed to them from untrusted sources * Instruct user population to report any email that is received that appears to be from Paypal and to not open this email * Verify that your firewall is blocking inbound and outbound port 25 (SMTP) connections, except to and from external mail gateways * Review firewall logs for hosts attempting to send email directly (not using the SMTP gateway) and examine these hosts, as this behavior may be a secondary indicator of infection with a mass-mailing worm that uses its own SMTP engine REFERENCES: Symantec: http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.j@mm. html http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.i@mm. html McAfee: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100825 http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100822 Trend Micro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIM AIL.J <http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MI MAIL.J> http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIM AIL.I <http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MI MAIL.I> CSCIC: http://www.cscic.state.ny.us/advisories/oct03/10_31.htm NYS Cyber Security & Critical Infrastructure 30 South Pearl Street, Suite P2 Albany, NY 12207 (518) 474-0865
This archive was generated by hypermail 2b30 : Tue Nov 18 2003 - 11:37:33 PST