RE: WORM_MIMAIL.A Anyone have any info on what this does yet?

From: James C. Slora, Jr. (Jim.Sloraat_private)
Date: Tue Aug 05 2003 - 13:15:36 PDT

Next message: Ramsinghani, Aashish (EM, GECIS): "RE: Question for all"

Previous message: David Hawley, CISSP: "Re: WORM_MIMAIL.A Anyone have any info on what this does yet?"
Maybe in reply to: Danny: "WORM_MIMAIL.A Anyone have any info on what this does yet?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thanks - I see the same in additional copies that arrived yesterday. It
does look like the worm favors high-weight servers, whether by design or
by mistake. Not a single one has come to the primary mail server.


> -----Original Message-----
> From: att13543 [mailto:skidat_private]
> Sent: Tuesday, August 05, 2003 1:26 PM
> To: James C. Slora, Jr.; incidentsat_private
> Subject: RE: WORM_MIMAIL.A Anyone have any info on what this does yet?
> 
> 
> Seems like the behavior is pretty much universal.  Since the posting,
> I've received two messages through the low weight / primary 
> mail server;
> however, they were in quarantine.  Thinking they might be the original
> spam message, I checked the SMTP header and found out they 
> were actually
> forwarded from a user's outside account.  I should have known, the
> sender wasn't admin@[domain.com].
> 
> -----Original Message-----
> From: James C. Slora, Jr. [mailto:Jim.Sloraat_private] 
> Sent: Monday, August 04, 2003 11:56 AM
> To: att13543
> Subject: RE: WORM_MIMAIL.A Anyone have any info on what this does yet?
> 
> att13543 wrote Monday, August 04, 2003 9:54 AM
> 
> > I'd be interested if anyone can correlate what I've seen:  we have 2
> MX
> > records, one weighted at 10 (primary) and one at 20 (secondary).  Of
> the
> > 200 or so MiMail's we've seen 100% have come through our SECONDARY
> mail
> > server.  Maybe the SMTP engine was written poorly, or maybe it was
> this
> > way on purpose?
> 
> All of ours were sent to one specific mail server that is way down the
> priority list.
> 
> This matches previous spammed email malware patterns, and I cannot
> recall any previous worm that looked up all the mail servers and used
> the lowest-priority one. I'm guessing that the ones we have received
> were sent by the worm distributors rather than from infected machines.
> I've dropped them all before the full headers were delivered, 
> so I don't
> have any way to positively verify this theory.
> 
> AV vendor descriptions say the worm takes SMTP server info from the
> infected computer, which is inconsistent with copies arriving 
> through a
> low-priority mail server that user are not aware of.
> 
> Has anyone examined the message headers to see if there is a 
> detectable
> difference between messages coming from an infected system and those
> spammed by the worm author?
> 
> 

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Ramsinghani, Aashish (EM, GECIS): "RE: Question for all"
Previous message: David Hawley, CISSP: "Re: WORM_MIMAIL.A Anyone have any info on what this does yet?"
Maybe in reply to: Danny: "WORM_MIMAIL.A Anyone have any info on what this does yet?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 05 2003 - 15:55:17 PDT