[Dshield] new MyDoom infected attachments

Betsy Horn Bhorn at hfblaw.com
Thu Feb 5 20:19:55 GMT 2004


Thanks very much for the info.  I think you're right, now that I look at
them more closely.  (GWAVA/Symantec did quarantine two of them by the
way and DAT files are dated 2/4/04.)  The mime.822 had an associated txt
file.  I can't see either one of those.  But the Part.001 attachment
came through with the GWAVA notification and it appears to be a bounce
from one of the sbc network dsl machines that's been sending the virus
out several times a day since the first day.

>>> procana at insight.rr.com 2/5/2004 11:49:52 AM >>>
On Thu, Feb 05, 2004 at 08:46:24AM -0600, Betsy Horn wrote:
> Just a head up.  Last night and this morning our system received two
new
> MyDoom A infected attachments:
> 
> part.001
> mime.822
> 
> Symantec caught them, as I don't block these file types <yet>.  
> 

Hi Betsy,

In a GroupWise system, the part.001 attachments are normally attachment
fragments or 
undefind, corrupt or otherwise unhandled attachments.  Gwia attaches
mime.822 onto the
message. It contains the headers and the message data dump (with
attachment frag).  If these 
messages were actual bounces from other sites, they might have sent
just enough of the 
virus to trip your av scanner.  
You might want to compare the part.001 attachment to a copy of mydoomA
and see if this 
is the case.

If you are running Guinevere or Gwava, I wonder why they didn't pick it
up as your av 
scanner *snaps* in and should be scanning all mail.  Are you using the
same av product 
on the desktop as Guin/Gwava at your mail gateway?  Are the dats the
same?

Mike

_______________________________________________
list mailing list
list at dshield.org 
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list