maybe this should be on sec focus but.
I have had like 4 users call and tell me that they're receiving email from admin@ourdomainname with a unidentified attachment, possibly a worm that exploits the new Microsoft vulnerability last week, all 4 of these people reported that their updated this morning antivirus software missed it. FYI.
Thus spake Drew Weaver (drew.weaver@thenap.com) [01/08/03 14:25]:
I have had like 4 users call and tell me that they're receiving email from admin@ourdomainname with a unidentified attachment, possibly a worm that exploits the new Microsoft vulnerability last week, all 4 of these people reported that their updated this morning antivirus software missed it.
The latest NAI definitions catch it as Exploit-Codebase (which I *think* is just a general catchall). We have an open ticket with F-Prot for this, and are currently waiting on updated definitions from them. - Damian
That's funny, I had atleast one person here receive a similar email which was forwarded on to me. I ran it through McAfee (4.5.1 engine, 4.0.4280 DAT) and it picked it right up (Trojan Name: Exploit-Code Base http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=99383). Potentially it's a different incident than what they are talking about but the admin@domainname and the attachment are similar (it was a zip file containing an html file [according to the extensions]). Forrest On Fri, 1 Aug 2003, Drew Weaver wrote:
I have had like 4 users call and tell me that they're receiving email from admin@ourdomainname with a unidentified attachment, possibly a worm that exploits the new Microsoft vulnerability last week, all 4 of these people reported that their updated this morning antivirus software missed it.
FYI.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL.... Forrest Houston <fhouston@east.is To: Drew Weaver <drew.weaver@thenap.com> i.edu> cc: "'nanog@merit.edu'" <nanog@merit.edu> Sent by: Subject: Re: maybe this should be on sec focus but. owner-nanog@merit .edu 08/01/2003 02:28 PM That's funny, I had atleast one person here receive a similar email which was forwarded on to me. I ran it through McAfee (4.5.1 engine, 4.0.4280 DAT) and it picked it right up (Trojan Name: Exploit-Code Base http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=99383). Potentially it's a different incident than what they are talking about but the admin@domainname and the attachment are similar (it was a zip file containing an html file [according to the extensions]). Forrest On Fri, 1 Aug 2003, Drew Weaver wrote:
I have had like 4 users call and tell me that they're
email from admin@ourdomainname with a unidentified attachment, possibly a worm that exploits the new Microsoft vulnerability last week, all 4 of
receiving these
people reported that their updated this morning antivirus software missed it.
FYI.
I've captured this guy here actually directed at me. <thank goodness for pine:)> It appears to attach itself as message.zip not sure if it attaches using other names. On Fri, 1 Aug 2003, Drew Weaver wrote:
I have had like 4 users call and tell me that they're receiving email from admin@ourdomainname with a unidentified attachment, possibly a worm that exploits the new Microsoft vulnerability last week, all 4 of these people reported that their updated this morning antivirus software missed it.
FYI.
http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.a@mm. html Bob German, CISSP, CCNA, MCSE Sr Systems Engineer Irides, LLC -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Scott Granados Sent: Friday, August 01, 2003 2:29 PM To: Drew Weaver Cc: 'nanog@merit.edu' Subject: Re: maybe this should be on sec focus but. I've captured this guy here actually directed at me. <thank goodness for pine:)> It appears to attach itself as message.zip not sure if it attaches using other names. On Fri, 1 Aug 2003, Drew Weaver wrote:
I have had like 4 users call and tell me that they're receiving email from admin@ourdomainname with a unidentified attachment, possibly a worm that exploits the new Microsoft vulnerability last week, all 4 of these people reported that their updated this morning antivirus software missed it.
FYI.
Sounds like mimail. See http://vil.nai.com/vil/content/v_100523.htm ---Mike At 02:45 PM 01/08/2003 -0400, Drew Weaver wrote:
I have had like 4 users call and tell me that they're receiving email from admin@ourdomainname with a unidentified attachment, possibly a worm that exploits the new Microsoft vulnerability last week, all 4 of these people reported that their updated this morning antivirus software missed it.
FYI.
Friday, August 1, 2003, 11:45:25 AM, you wrote: DW> I have had like 4 users call and tell me that they're receiving DW> email from admin@ourdomainname with a unidentified attachment, possibly a DW> worm that exploits the new Microsoft vulnerability last week, all 4 of these DW> people reported that their updated this morning antivirus software missed DW> it. I believe it is this: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL.... I've overheard the same calls starting this morning also, all pertaining to emails supposedly from admin@ourdomain.com. Regards, Joe Boyce --- InterStar, Inc. - Shasta.com Internet Phone: +1 (530) 224-6866 x105 Email: jboyce@shasta.com
participants (8)
-
Bob German
-
Damian Gerow
-
Drew Weaver
-
Forrest Houston
-
Joe Boyce
-
Mike Tancsa
-
Patrick_McAllister@WASHGAS.COM
-
Scott Granados