[Dshield] New version of Mimail perhaps

Nels Bels nelsbels at cableone.net
Thu Dec 18 16:31:29 GMT 2003

I have also seen this type of traffic. It was addressed from the
reciever domain but was from a person that didn't exist in the
organization. (ex. From: Mary at acme.com To: John at acme.com; the from: was
false, while the to: was a valid address)
The difference was the attachment was photos.zip and it had a paragraph
about "these pictures of you and me".  The user that received them saw
it immediately as a fraud and contacted me immediately.  Thus, I have
blocked any e-mail coming from my domain coming into my domain from the

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On
Behalf Of Deb Hale
Sent: Thursday, December 18, 2003 10:04 AM
To: handlers at sans.org; list at dshield.org
Subject: [Dshield] New version of Mimail perhaps

>FYI,  Just wanted to let you know that one of my clients has received
some suspicious emails today that appear to have a new virus. It appears
to be another version of Mimail because it >has similar characteristics.
It appears to be coming from a fictious user at their domain name and is
being sent to users at their domain name.  Fortunately they do not have
a user with >the fictious user ID so the users were suspicious and
contacted me. The content of the email is a subject of "don't be late!
Mipmokho" and indicates that the sender has a meeting with the
>receiver.  It has an attachment "readnow.zip" which is a common
attachment for the suspected virus.  Upon receiving the email, (not
opening) - the NAV auto protect was disabled and     >errored out.  I
was unable to restore NAV until I shutdown and restarted the
>computers.   I have sent the file to Symantec to be analyzed. Just
>you might like to know. 

Outgoing mail is certified Virus Free.
Checked by AVG Anti-Virus (http://www.grisoft.com).
Version: 7.0.209 / Virus Database: 261.5.1 - Release Date: 12/18/2003

More information about the list mailing list