[Dshield] new MyDoom infected attachments

MH procana at insight.rr.com
Thu Feb 5 17:49:52 GMT 2004


On Thu, Feb 05, 2004 at 08:46:24AM -0600, Betsy Horn wrote:
> Just a head up.  Last night and this morning our system received two new
> MyDoom A infected attachments:
> 
> part.001
> mime.822
> 
> Symantec caught them, as I don't block these file types <yet>.  
> 

Hi Betsy,

In a GroupWise system, the part.001 attachments are normally attachment fragments or 
undefind, corrupt or otherwise unhandled attachments.  Gwia attaches mime.822 onto the
message. It contains the headers and the message data dump (with attachment frag).  If these 
messages were actual bounces from other sites, they might have sent just enough of the 
virus to trip your av scanner.  
You might want to compare the part.001 attachment to a copy of mydoomA and see if this 
is the case.

If you are running Guinevere or Gwava, I wonder why they didn't pick it up as your av 
scanner *snaps* in and should be scanning all mail.  Are you using the same av product 
on the desktop as Guin/Gwava at your mail gateway?  Are the dats the same?

Mike




More information about the list mailing list