[Dshield] New version of Mimail perhaps
nelsbels at cableone.net
Thu Dec 18 16:31:29 GMT 2003
I have also seen this type of traffic. It was addressed from the
reciever domain but was from a person that didn't exist in the
organization. (ex. From: Mary at acme.com To: John at acme.com; the from: was
false, while the to: was a valid address)
The difference was the attachment was photos.zip and it had a paragraph
about "these pictures of you and me". The user that received them saw
it immediately as a fraud and contacted me immediately. Thus, I have
blocked any e-mail coming from my domain coming into my domain from the
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On
Behalf Of Deb Hale
Sent: Thursday, December 18, 2003 10:04 AM
To: handlers at sans.org; list at dshield.org
Subject: [Dshield] New version of Mimail perhaps
>FYI, Just wanted to let you know that one of my clients has received
some suspicious emails today that appear to have a new virus. It appears
to be another version of Mimail because it >has similar characteristics.
It appears to be coming from a fictious user at their domain name and is
being sent to users at their domain name. Fortunately they do not have
a user with >the fictious user ID so the users were suspicious and
contacted me. The content of the email is a subject of "don't be late!
Mipmokho" and indicates that the sender has a meeting with the
>receiver. It has an attachment "readnow.zip" which is a common
attachment for the suspected virus. Upon receiving the email, (not
opening) - the NAV auto protect was disabled and >errored out. I
was unable to restore NAV until I shutdown and restarted the
>computers. I have sent the file to Symantec to be analyzed. Just
>you might like to know.
Outgoing mail is certified Virus Free.
Checked by AVG Anti-Virus (http://www.grisoft.com).
Version: 7.0.209 / Virus Database: 261.5.1 - Release Date: 12/18/2003
More information about the list