SUBJECT: WORM ALERT: Mimail This is a very new category 3 (moderate) worm. It is prevalent within DLA. The worm attempts to exploit a vulnerability in Internet Explorer which allows a script to execute in the local computer. Systems can be easily examined to know if the system has been patched by opening Internet Employer, click on Help, click on About Internet Explorer, and look for this patch number Q319182 or a monthly IE cumulative patch like Q818529 under Updated Versions. Remember, MS sends out IE cumulative patches about every month. Any IE cumulative patch since this vulnerability will also include the patch for this specific vulnerability. Systems will be deemed infected if a user executes the .zip file and their system does not have this vulnerability patched. Sender: (spoofed) Subject: your account Attachment: message. zip Body: Hello there, I would like to inform you about important information regarding your email address. This email address will be expiring. Please read attachment for details. --- Best regards, Administrator For further information regarding this worm: http://www.symantec.com/avcenter/vinfodb.html#threat_list http://vil.nai.com/vil/default.asp http://www.trendmicro.com/vinfo/ Symantec's definition files with version number greater than 50801e, 1Aug03 ver 5 will protect against this Worm. No information is available yet from McAfee or TrendMicro. Download web sites: http://www.cert.mil http://securityresponse.symantec.com/ http://wwwmcafeeb2b.com/naicommon/download/dats/find.asp http://www.trendmicro.com/download/ Name: W32.Mimail.A@mm Category: 3 Virus Definitions: August 1, 2003 (US Pacific Time) Type: Worm Aliases: WORM_MIMAIL.A [Trend] Symantec Security Response is currently analyzing a new worm which spreads via email. The email will have the following characteristics: Subject: your account %s Attachment: message.zip Note: %s refers to a variable string. This worm attempts to exploit a vulnerability in Internet Explorer which allows a script to execute in the Local computer. See the following for more information: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-015.asp Additional information will be provided as analysis continues. Detection will be available in virus definitions of 8/1/2003 with a version number greater than 50801e, or August 1, 2003 ver 5. ---------- For additional information, visit our website at http://securityresponse.symantec.com -- Scott M. Algatt Behold the turtle. He makes progress only when he sticks his neck out. On Fri, 1 Aug 2003, Danny wrote: > We are getting flooded with these little puppies, does anyone have any > additional info on what this thing does once it infects a host? --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Aug 01 2003 - 13:51:50 PDT