Jump to content
Sign in to follow this  
nlinecomputers

Viruses Worms Trojans ... Oh, my!

Recommended Posts

Dear Trend Micro customer:As of October 31, 2003 (8:02 AM)  US Pacific Time, TrendLabs has declared a YELLOW ALERT  to control the spread of  WORM_MIMAIL.C. Initial analysis indicates that this memory-resident worm is spreading via SMTP (Simple Mail Transfer Protocol) engine.TrendLabs will be releasing the following EPS deliverables: TMCM Outbreak Prevention Policy  60 Official Pattern Release  667 Damage Cleanup Template  204 For more information on WORM_MIMAIL.C, you can visit our Web site at:http://www.trendmicro.com/vinfo/virusencyc...e=WORM_MIMAIL.CPlease inform us if there are any infection reports in your region.
Great more viruses and spambots to spoof my domain name! Update your AV programs, Monday could be a long day.

Share this post


Link to post
Share on other sites
Update your AV programs Monday
Ah, I think waiting 72 hrs to update your AVs is not the best approach. But that's just me. :lol: Where are you that Friday is a day off?

Share this post


Link to post
Share on other sites

Never put off till tomorrow what you can do today B) Thanks for the heads up Nathan!

Share this post


Link to post
Share on other sites

I belive he meant "update your AV programs, Monday could be a long day."He's saying Monday's going to be the day it hits big (thanks to offices)... Update now B)

Share this post


Link to post
Share on other sites
Oops!  D*** commas, never one around when you need it......I'll Fix it in just a sec.....Done!
LOL!! :D The red was a nice touch. :)BTW My PC-cillins are set to auto-update, no email notification needed.

Share this post


Link to post
Share on other sites
Never put off till tomorrow what you can do today
...OR never do today what you can put off tomorrow... :D :D Procrastination is, by definition, getting things done.--plagiarized from StoneGiant

Share this post


Link to post
Share on other sites

I had this virus in my email this morning and Norton caught it. It had the subject line: "Re: our private photos kpvypfao" with attachment: photos.zip. I hope this doesn't spread! Ken

Share this post


Link to post
Share on other sites

It is Category 3 on the Symantec AV Center.Symantec has also posted a W32.Mimail Removal Tool which should make removal a snap. :devil:

The W32.Mimail Removal Tool does the following: Terminates the W32.Mimail viral processes. Deletes the W32.Mimail files. Deletes the dropped files. Deletes the registry values that the worm added.

Share this post


Link to post
Share on other sites

I have seen four e-mails in my in-basket all from "john" with my domain as the sending address and "don't be late" and some gibberish letters (always different) as the subject. Of course there is no "john" within my domain. I peeked at the contents using POP3 my pre-screener and noted that there is some text and an attachment. I tossed them without bothering to receive them. Has anyone else seen these come in recently?Edited:Oh yes, all were to the same address on my domain, which is a throw-away that I used when registering Music Match. So I guess their e-mail DB is compromised.

Share this post


Link to post
Share on other sites

Never mind. I read further in the forum and checked the MIMAIL virus descriptions at the Symantec/Norton AV site. This is variation "D" of that virus. Moderator: could you fold this topic in with that so that folks can see a little of what the miMail looks like:mimail variation "D".

Share this post


Link to post
Share on other sites
Symantec's AV Center List of new viruses shows Mimail through W32.Mimail.H@mm now.However, other AV companies like Sohos show this particular Mimail with the YOUR PAYPAL ACCOUNT IS EXPIRING subject is called W32/Mimail-I and their W32/Mimail-H is the one with subject: don't be late! which is Symantec's W32.Mimail.G@mm.Head spinning yet LOL! :D Sophos obviously didn't skip Mimail.b like Symantec did when they created the next letter iteration, and has put them one letter ahead in their lettering scheme.Who cares? I don't know, I like to figure things out, I guess.Anyway the reason I was looking into this was that when two of the early variants (W32.Mimail.C@mm and W32.Mimail.D@mm) came out, they were up to Category 3 Risk factor at Symantec within a very short time, the rest have pretty much remained at Category 2.Now all nine (I think) of the Mimail variants to date since August 1, 2003 (has it been that long already!) when W32.Mimail.A@mm was discovered are currently at Category 2 and holding -- which means that .C and .D have been downgraded to Category 2.Not all good news since there are so many variants, but at least none are currently at Category 3 anymore. :D

Share this post


Link to post
Share on other sites

Thanks Nathan,Woke up to TWO copies of this worm in email this morning!Thank goodness for Thunderbird!

---snip-------------646847482076764Content-Type: text/plain; charset="us-ascii"Content-Transfer-Encoding: 7bit Test =)whnvwwisfnx--Test, yep.----------646847482076764Content-Type: application/x-msdownload; name="dooitjcm.exe"Content-Transfer-Encoding: base64Content-Disposition: attachment; filename="duqonalxhti.exe"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAyAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4g--snip--
(code cut off and wrapped)The other one I received has entirely different attachment name and x-msdownload file name, and group of letters in the otherwise exactly the same worded text in the email.Thanks for heads up!FYI: Here's Symantec's info on it too, considered to be Category 2 Risk factor already:W32.Beagle.A@mm

Share this post


Link to post
Share on other sites

A friend started receiving these messages yesterday:*** swbell.net 's accounting dpt notice ***Internet Billing NoticePlease press "open" and read the attached Billing Notice.Note if you do not read this withing 24 hours we at swbell.net regret we will have to terminate internet service.Scam or virus? Not sure which yet.Found warnings from ISP's here: http://www.swcp.com/swcp/http://www.camalott.com/Seems like it's fairly new, whatever it is. :rolleyes:

Share this post


Link to post
Share on other sites
Scam or virus? Not sure which yet.
Easy ways to test for the latter. There are many antivirus programs and services out there. Is your friend using any of them?I'd bet on scam or adware installer. But the prudent thing might be to forward it to the ISP's Abuse address or Support address and see what they say.

Share this post


Link to post
Share on other sites

Yes, AV is up-to-date. I looked on the Symantec site, but could find no references.Good idea to report it - I'll see if I can find a place at SW bell to report it. I told her to delete, delete, delete, empty trash! :)

Share this post


Link to post
Share on other sites

Thanks Nathan!I got one of these earlier and was searching for various parts of it in Google and Symantec's virus defs library and had heard nothing.Here's a clipped source on the one I received (one thing you will notice right away is that instead of the zipped file being classed as a compression file, it is identified as an octet/stream ... not good for those using OE I would bet!

From - Mon Jan 26 16:06:44 2004X-UIDL: 7421c0b83d89fc48df18cb5ff3e6fe5dX-Mozilla-Status: 0001X-Mozilla-Status2: 10000000Return-Path: soapbox@titusvilleherald.com    (envelope-from soapbox@titusvilleherald.com)Received: from mail.pop4.netReceived: from soapbox@titusvilleherald.com by www.pop4.net with qmail-scanner-0.96 (uvscan: v4.1.40/v4156. . Clean. Processed in 1.159339 secs); 26 Jan 2004 21:04:53 -0000Received: from unknown (HELO titusvilleherald.com) (64.81.37.54)  by 0 with SMTP; 26 Jan 2004 21:04:52 -0000From: soapbox@titusvilleherald.comSubject: Mail Transaction FailedDate: Mon, 26 Jan 2004 13:04:49 -0800MIME-Version: 1.0Content-Type: multipart/mixed;    boundary="----=_NextPart_000_0009_C1396090.F922F843"X-Priority: 3X-MSMail-Priority: NormalX-UIDL: 7421c0b83d89fc48df18cb5ff3e6fe5dThis is a multi-part message in MIME format.------=_NextPart_000_0009_C1396090.F922F843Content-Type: text/plain;    charset="Windows-1252"Content-Transfer-Encoding: 7bitThe message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.------=_NextPart_000_0009_C1396090.F922F843Content-Type: application/octet-stream;    name="test.zip"Content-Transfer-Encoding: base64Content-Disposition: attachment;    filename="test.zip"UEsDBAoAAAAAAJioOjDKJx+eAFgAAABYAAAIAAAAdGVzdC5zY3JNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>------=_NextPart_000_0009_C1396090.F922F843--
I sent a notification to the webmaster at titusvilleherald.com to let them know something was spoofing their soapbox email.Thanks again Nathan!Mystery solved!

Share this post


Link to post
Share on other sites

It is designed to emulate a Email error message so yeah it is going to jerk Outlook Expresses chain. I noticed this afternoon that the Internet was sluggish and was wondering if I had some line problems. Now I wonder if we have THAT much email traffic being generated by this. This is breaking out late today. I have a sicking feeling that we techs are going to be very busy tomorrow morning....icon8.gifI hate virues. It means business for me but I don't like earning my money this way. I always feel bad for the poor suckers caught by this stuff.

Share this post


Link to post
Share on other sites

WOW! That was fast!!!

Lavasoft Support Forum[/url]"]A new worm has appeared today. Its method of spreading appears to be datamining email addresses from a user's computer, followed by emailing itself to those addresses. The recipient will receive an email with various headings, including:    * Hi    * Hello    * Error    * Server Report    * TestIf you receive this email, do not open it. Immediately delete the email, download the latest referencefile (01R252 27.01.2004 at the time of this writing) and perform a full system scan as shown by the settings here:Lavasoft Help & SupportHow To: Perform a "Full Scan" with Ad-awarehttp://www.lavahelp.com/howto/fullscan/We will continue to monitor for new variants. Remember to keep anti-virus software and Ad-aware updated, and practice caution when opening email from any recipient.Lavasoft Reserach & Development
Update Instructions

Share this post


Link to post
Share on other sites

Yup, got this one in the inbox about two hours ago. Wiped it off the face of my hard drive!!!Got it with the subject as "Hello" and the attachment as "doc.zip".What scares me is that AVG Free Edition detected this virus *before* Norton did. And even after updated *both* programs, Norton could only detect the virus after the compressed file was extracted fromt the ZIP file. AVG caught it without having to decompress it.What scares me even more is that my server-side AV scanner totally missed this!Fran, got your newsletter -- right on time ;)

Share this post


Link to post
Share on other sites

I got one of those "Hi" ones at school yesterday. Saw the exe extension and immediately deleted it without opening. I then put the virus scanner on that folder specfically and it came up clean. :D That sure gave me a lot of faith in the school virus protection. :P Another teacher had his computer trashed the same day. Guess I had better see what I can download off the internet and scan the computer again just to be safe. ;) Mine was not a zip but an exe. By the way, I had never heard of the company it came from - some school poetry contest site in Nevada.

Share this post


Link to post
Share on other sites
Fran, got your newsletter -- right on time ;)
epp_b,Excellent! Glad to hear it! :thumbsup:Up to the minute, I have now received FIVE 'virus' emails since this afternoon! -- several variants (I am so happy I use Thunderbird that won't execute stuff!)Here is a run down, in addition to the one I listed above:Email 2:Subject: Server ReportAttachment: Doc.zipBody:The message contains Unicode characters and has been sent as a binary attachment.---Email 3:Subject: (no subject, blank)Attachment: Doc.zipBody:(this one was in a foreign language, I have no idea)--Email 4:Subject: HelloAttachment: message.pifBody:Mail transaction failed. Partial message is available.--Email 5:Subject: WqwqekmeAttachment: body.pifBody:The message contains Unicode characters and has been sent as a binary attachment.---Seems like whoever is doing this is trying to shotgun the email system.Please be very careful if you are using Windows, particularly if you are using Outlook Express.

Share this post


Link to post
Share on other sites

OK, make that SEVEN! As I hit send on the last post, two more came in.Email 6:Subject: HelloAttachment: document.zipBody:The message contains Unicode characters and has been sent as a binary attachment.--Email 7:Subject: StatusAttachment: doc.pifBody:The message contains Unicode characters and has been sent as a binary attachment.---This is very, very big!

Share this post


Link to post
Share on other sites
...(I am so happy I use Thunderbird that won't execute stuff!)
Same with Eudora :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...