I'd be interested if anyone can correlate what I've seen: we have 2 MX records, one weighted at 10 (primary) and one at 20 (secondary). Of the 200 or so MiMail's we've seen 100% have come through our SECONDARY mail server. Maybe the SMTP engine was written poorly, or maybe it was this way on purpose? -----Original Message----- From: Butterworth, James J. EWC (C3F J39) [mailto:james.butterworthat_private] Sent: Friday, August 01, 2003 7:43 PM To: Jay Woody; incidentsat_private Subject: RE: WORM_MIMAIL.A Anyone have any info on what this does yet? There is a list of SMTP servers that, once infected, the virus will scan the infected system looking for valid emails, store it in "eml.tmp" C:\windows dir, and once it senses an internet connection will forward itself to everyone in the eml.tmp file via those external SMTP servers. The virus writes the following key to make sure it runs at start up: HKLM\Software\Microsoft\Windows\CurrentVersion\RunVideoDriver=C:=Windows directory\videodrv.exe Check for: C:\Windows\videodrv.exe (payload) C:\Windows\eml.tmp (list of emails the payload found to send itself to) c:\Windows\foo.exe (installation file) r/Jim Butterworth > -----Original Message----- > From: Jay Woody [SMTP:jay_woodyat_private] > Sent: Friday, August 01, 2003 11:54 AM > To: incidentsat_private > Subject: RE: WORM_MIMAIL.A Anyone have any info on what this does yet? > > We are just dropping everything from adminat_private This message > seems to always use admin as the "From:" field and just append our > company name to it. We will probably also use another piece of > equipment to do a subject line drop also. > > http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=1005 > 23 > > JayW > > >>> "Schmehl, Paul L" <paulsat_private> 08/01/03 01:16PM >>> > <http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.a@ > mm > > .html> > > We're blocking message.zip at the gateway. > > Paul Schmehl (paulsat_private) > Adjunct Information Security Officer > The University of Texas at Dallas > AVIEN Founding Member > http://www.utdallas.edu/~pauls/ > > > -----Original Message----- > > From: Danny [mailto:drh26at_private] > > Sent: Friday, August 01, 2003 12:56 PM > > To: incidentsat_private > > Subject: WORM_MIMAIL.A Anyone have any info on what this does yet? > > > > > > We are getting flooded with these little puppies, does anyone > > have any > > additional info on what this thing does once it infects a > > host? I'll be infecting a box to test myself after i send > > this email but if > > anyone has done testing already it would great to hear your input. > > ---------------------------------------------------------------------- > ----- > ------------------------------------------------------------------------ ---- > > > > > ---------------------------------------------------------------------- > ----- > ------------------------------------------------------------------------ ---- > ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Aug 04 2003 - 08:36:33 PDT