Re: WORM_MIMAIL.A Anyone have any info on what this does yet?

From: David Hawley, CISSP (rhino007_usat_private)
Date: Mon Aug 04 2003 - 13:44:43 PDT

Next message: James C. Slora, Jr.: "RE: WORM_MIMAIL.A Anyone have any info on what this does yet?"

Previous message: att13543: "RE: WORM_MIMAIL.A Anyone have any info on what this does yet?"
In reply to: Alex 'CAVE' Cernat: "Re: WORM_MIMAIL.A Anyone have any info on what this does yet?"
Next in thread: James C. Slora, Jr.: "RE: WORM_MIMAIL.A Anyone have any info on what this does yet?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Alex,

This is a very general answer.

When dealing with worms I have found it usefull to
look at the source of the original Internet worm.
It's available on the Net.  IMHO the 10's of thousands
of worms, viruses, etc often borrow from the
predicesor.  For example they will try and crack the
passwd file, they will try and send info from critical
systems files (ie. the original one sent the UNIX
hosts and/or hosts.equiv file; newer varients, like
the iloveyou virus 3 years ago use Outlooks address
book), like that.

When I spotted the iloveyou script/virus in my Outlook
inbox I saved it to a floppy, and read it on my linux
box in vi.

Cheers, David

David Hawley, CISSP
UNIX & NT NET SECURITY, LLC
714-697-8000

--- Alex 'CAVE' Cernat <caveat_private> wrote:
> On Mon, 4 Aug 2003 09:53:53 -0400
> "att13543" <skidat_private> wrote:
> 
> > I'd be interested if anyone can correlate what
> I've seen:  we have 2
> > MX records, one weighted at 10 (primary) and one
> at 20 (secondary). 
> > Of the 200 or so MiMail's we've seen 100% have
> come through our
> > SECONDARY mail server.  Maybe the SMTP engine was
> written poorly, or
> > maybe it was this way on purpose?
> 
> if the virus send emails throught local smtp
> connection, it's a dns
> problem;
> but if the virus connects directly to the 'backup'
> smtp server, then,
> lamerish, the virus programmer probably believed
> that bigger value
> associated with mx meens 'prefered server', which is
> the exactly
> opposite as the rfc or any documentation available
> :-)
> 
> Alex
> 
>
---------------------------------------------------------------------------
>
----------------------------------------------------------------------------
> 

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: James C. Slora, Jr.: "RE: WORM_MIMAIL.A Anyone have any info on what this does yet?"
Previous message: att13543: "RE: WORM_MIMAIL.A Anyone have any info on what this does yet?"
In reply to: Alex 'CAVE' Cernat: "Re: WORM_MIMAIL.A Anyone have any info on what this does yet?"
Next in thread: James C. Slora, Jr.: "RE: WORM_MIMAIL.A Anyone have any info on what this does yet?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 05 2003 - 15:55:13 PDT