[Dshield] New version of Mimail perhaps

Paul Marsh pmarsh at nmefdn.org
Thu Dec 18 16:36:08 GMT 2003


Deb:

   Sounds just like MiMail.E with the readnow.zip, we're up to .M I'm
sure .N is on it's way.  I have seen an increase in these babies in the
last week or so.  My gateway has been stopping then as a malformed zip
file and not as the virus.  I sure hope the gateway would detect it as
the mimail viri if the zip file was not jacked up....  I just want to
clarify, NAV was running OK on the workstation but once the user
received the email not opening it NAV failed?  Do you have any event log
info on what happened?  Just curious.

Thanx, Paul

-----Original Message-----
From: Deb Hale [mailto:haled at pionet.net] 
Sent: Thursday, December 18, 2003 11:04 AM
To: handlers at sans.org; list at dshield.org
Subject: [Dshield] New version of Mimail perhaps




FYI,  Just wanted to let you know that one of my clients has received
some suspicious emails today that appear to have a new virus. It appears
to be another version of Mimail because it has similar characteristics.
It appears to be coming from a fictious user at their domain name and is
being sent to users at their domain name.  Fortunately they do not have
a user with the fictious user ID so the users were suspicious and
contacted me. The content of the email is a subject of "don't be late!
Mipmokho" and indicates that the sender has a meeting with the receiver.
It has an attachment "readnow.zip" which is a common attachment for the
suspected virus.  Upon receiving the email, (not opening) - the NAV auto
protect was disabled and errored out.  I was unable to restore NAV until
I shutdown and restarted the
computers.   I have sent the file to Symantec to be analyzed. Just
thought
you might like to know. 


Deb


_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list