[unisog] New virus???

James Morris jmorris at cac.washington.edu
Mon Aug 4 16:42:50 GMT 2003

Sounds like the Mimail virus that started making it's rounds last week.
NAI's page on it is at http://vil.nai.com/vil/content/v_100523.htm. 

James Morris
Systems Engineer
NDC Systems Management
University of Washington

-----Original Message-----
From: Steve Bernard [mailto:sbernard at gmu.edu] 
Sent: Friday, August 01, 2003 12:08
To: unisog at sans.org
Subject: [unisog] New virus???

We are beginning to see an email-based virus spreading in our network. 
The originator seems to be from a locally compromised machine. Email is 
being generated in the name of the account "admin@" and purports that 
the user's IP has been changed. An accompanying attachment, 
"message.zip" is an HTML file with the binary file, "foo.exe", in the 
header portion. A script with function "malware()" is repeated multiple 
times, each calling "foo.exe".  So far what I know is that the virus 
spreads itself when "message.zip" is read by reading at least one 
address in the user's address book. The scripting is easy to understand 
but, "foo.exe" is compiled. This virus is *not* recognized by the latest 
Norton AV signatures. Disabling HTML parsing in email clients seems to 
stop the virus from working.


Steve Bernard
Sr. Systems Engineer, NET
George Mason University
Fairfax, Virginia

More information about the unisog mailing list