[Dshield] new MyDoom infected attachments
procana at insight.rr.com
Thu Feb 5 17:49:52 GMT 2004
On Thu, Feb 05, 2004 at 08:46:24AM -0600, Betsy Horn wrote:
> Just a head up. Last night and this morning our system received two new
> MyDoom A infected attachments:
> Symantec caught them, as I don't block these file types <yet>.
In a GroupWise system, the part.001 attachments are normally attachment fragments or
undefind, corrupt or otherwise unhandled attachments. Gwia attaches mime.822 onto the
message. It contains the headers and the message data dump (with attachment frag). If these
messages were actual bounces from other sites, they might have sent just enough of the
virus to trip your av scanner.
You might want to compare the part.001 attachment to a copy of mydoomA and see if this
is the case.
If you are running Guinevere or Gwava, I wonder why they didn't pick it up as your av
scanner *snaps* in and should be scanning all mail. Are you using the same av product
on the desktop as Guin/Gwava at your mail gateway? Are the dats the same?
More information about the list