[unisog] New virus???

H. Morrow Long morrow.long at yale.edu
Mon Aug 4 17:00:42 GMT 2003


It is W32.MiMail.A

We first noticed it on Friday afternoon and sent out a message to
our community just before 5PM:

   http://lux.its.yale.edu/statpages/status_open3.asp?Msg=2763

- H. Morrow Long, CISSP
   Director - Information Security
   Yale University, ITS

Steve Bernard wrote:

> We are beginning to see an email-based virus spreading in our network. 
> The originator seems to be from a locally compromised machine. Email is 
> being generated in the name of the account "admin@" and purports that 
> the user's IP has been changed. An accompanying attachment, 
> "message.zip" is an HTML file with the binary file, "foo.exe", in the 
> header portion. A script with function "malware()" is repeated multiple 
> times, each calling "foo.exe".  So far what I know is that the virus 
> spreads itself when "message.zip" is read by reading at least one 
> address in the user's address book. The scripting is easy to understand 
> but, "foo.exe" is compiled. This virus is *not* recognized by the latest 
> Norton AV signatures. Disabling HTML parsing in email clients seems to 
> stop the virus from working.
> 
> 
> Regards,
> 
> Steve Bernard
> Sr. Systems Engineer, NET
> George Mason University
> Fairfax, Virginia



More information about the unisog mailing list