[unisog] New email virus

Brent League BLEAGUE at utsa.edu
Mon Nov 3 13:21:17 GMT 2003


According to Sybari, Antigen is unable to scan and detect the virus in the
photos.zip attachment because it is coming in as a corrupted compressed
file.  They are recommending enabling the "Delete Corrupted Compressed
Files" option as mentioned below (this option is NOT enabled by default).  I
have included the email message from Sybari below.



IMPORTANT: 
The original form of W32/Mimail-c, "photos.zip" is a corrupted compressed
archive. 
It has been determined that certain compression utilities can extract, "
photos.jpg.exe ", so it can be potentially executed and propagated. 

AV Engine detection will detect the "photos.jpg.exe" form. 



Sybari recommends the following options to protect from all instances of
this worm : 

1. Add Filter rules for the following : photos.zip , photos.jpg.exe 

2. General Options - Enable Delete Corrupted Compressed Files (If option one
is enabled this is optional) 

3. Update to the latest Engine Updates. 



Brent League 
Senior Systems Analyst 
University of Texas at San Antonio 
Office of Information Technology 
(210)458-4555 
BLeague  @  utsa edu 


>  -----Original Message-----
> From: 	unisog-digest-help at sans.org
> [mailto:unisog-digest-help at sans.org] 
> Sent:	Sunday, November 02, 2003 12:30 PM
> To:	unisog at sans.org
> Subject:	unisog Digest 2 Nov 2003 18:29:44 -0000 Issue 331
> 
> 
 David Bruce writes:
>
>Since this morning, we are seeing a new e-mail virus that does not 
>appear to be detectible by current Norton or McAfee virus definitions.  
>So far, the attachment received has always been named "photos.zip" with 
>subject "our private photos".  We are now filtering email on this 
	>basis.  Has anyone else seen this? 



More information about the unisog mailing list