Re: WORM_MIMAIL.A Anyone have any info on what this does yet?

From: Alex 'CAVE' Cernat (caveat_private)
Date: Mon Aug 04 2003 - 08:57:06 PDT

Next message: Jay Woody: "RE: Command Line RPC vulnerability scanner?"

Previous message: Jason Alexander: "Re: Pdmin / Trojaned csrss.exe"
In reply to: att13543: "RE: WORM_MIMAIL.A Anyone have any info on what this does yet?"
Next in thread: Frank Knobbe: "Re: WORM_MIMAIL.A Anyone have any info on what this does yet?"
Next in thread: James C. Slora, Jr.: "RE: WORM_MIMAIL.A Anyone have any info on what this does yet?"
Reply: Frank Knobbe: "Re: WORM_MIMAIL.A Anyone have any info on what this does yet?"
Reply: Jerry Shenk: "RE: WORM_MIMAIL.A Anyone have any info on what this does yet?"
Reply: Valdis.Kletnieksat_private: "Re: WORM_MIMAIL.A Anyone have any info on what this does yet?"
Reply: David Hawley, CISSP: "Re: WORM_MIMAIL.A Anyone have any info on what this does yet?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 4 Aug 2003 09:53:53 -0400
"att13543" <skidat_private> wrote:

> I'd be interested if anyone can correlate what I've seen:  we have 2
> MX records, one weighted at 10 (primary) and one at 20 (secondary). 
> Of the 200 or so MiMail's we've seen 100% have come through our
> SECONDARY mail server.  Maybe the SMTP engine was written poorly, or
> maybe it was this way on purpose?

if the virus send emails throught local smtp connection, it's a dns
problem;
but if the virus connects directly to the 'backup' smtp server, then,
lamerish, the virus programmer probably believed that bigger value
associated with mx meens 'prefered server', which is the exactly
opposite as the rfc or any documentation available :-)

Alex

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Jay Woody: "RE: Command Line RPC vulnerability scanner?"
Previous message: Jason Alexander: "Re: Pdmin / Trojaned csrss.exe"
In reply to: att13543: "RE: WORM_MIMAIL.A Anyone have any info on what this does yet?"
Next in thread: Frank Knobbe: "Re: WORM_MIMAIL.A Anyone have any info on what this does yet?"
Next in thread: James C. Slora, Jr.: "RE: WORM_MIMAIL.A Anyone have any info on what this does yet?"
Reply: Frank Knobbe: "Re: WORM_MIMAIL.A Anyone have any info on what this does yet?"
Reply: Jerry Shenk: "RE: WORM_MIMAIL.A Anyone have any info on what this does yet?"
Reply: Valdis.Kletnieksat_private: "Re: WORM_MIMAIL.A Anyone have any info on what this does yet?"
Reply: David Hawley, CISSP: "Re: WORM_MIMAIL.A Anyone have any info on what this does yet?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 04 2003 - 10:12:39 PDT