VIRUS - worm_mimail.a

[sharkeeper]

NAVCE81 popped this at me when I just tried to delete the email!

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: W32.Mimail.A@mm
File: message.zip
Location: Mail System
Computer: ATLANTIS
User: Falconian Eissenstrom
Action taken: Clean failed : Quarantine succeeded :
Date found: Sun Aug 03 20:33:33 2003

-DAK-

 

[MazerRackham]

Advantage: MacOS x.2

 

[spidey07]

We were able to stop it once the pattern files came out on friday but...

The tricky thing about this one is it will actually scan most of the files on your HD for email addresses and propogate that way. So temp files and just about anthing that contains an E-mail address are used.

It did make a bunch of pulications. Luckily it isn't as harmful or widespread as some of the other big ones.

-edit- the other thing from a social engineering perspective is it likes to use source addresses containing "admin" so the messages looks "real". Believe it or not many of the IT guys at different companies opened it because it came from an internal E-mail address. Tricky little SOB.

 

[hevnsnt]

Beware there is a different varient of this out. We had a localized infection on friday which contained 2 varients. The first varient is very easy to catch, the second was not. Email admins can block this one very easy by blocking "message.zip" attachments. I have submitted the second varient to Mcafee on friday.

 

[Acanthus]

Originally posted by: chiwawa626
I always feel like im missing out, i never have encoutnered any of these big viruses and stuff that are reported on teh news and online...hmph :-\

It's called being "capable of independant thought".

 

[SagaLore]

Originally posted by: spidey07
Oh,

And all of our mail is scanned at least 6 times before it hits a desktop.

Internet E-mail - scanned by two separate e-mail scubbers before it even gets to our SMTP gateway.
Scanned on the SMTP gateway
Scanned on the MTA
Scanned on the mailbox servers
Scanned on the PC.

Still got thru because the patter files weren't out yet. We just don't get viruses, but this one made it.

At our company, we

1. Block a list of attachments at the SMTP gateway
2. Scan email on the mail server with one engine
3. Scan files on the pc with another engine

Virus signatures are only good if they exist. At the STMP gateway we use a program made by TFSTech called the Secure Messaging Server, which allows me to customize the filters. Currently we block anything that can execute and archive it - if the user really did need it, we just retrieve it after looking it over. As soon as MIMAIL made the news we just put in a policy to block Message.zip.

Company - 1
Viruses - 0

 

[DJFuji]

Originally posted by: Trygve
I haven't seen much from this one yet. I got six copies in a two-hour timespan on Friday afternoon, then four more in a half-hour period this afternoon, but that's it. Hardly a blip as these things go. By comparison, when that "Install this Microsoft patch" virus was peaking, I was getting 20-40 copies per hour continuously throughout the day.

I'm amazed at how successful a virus can be just by relying upon the stupidity of its recipients.

I'm not. I still get emails saying "pleeeeeeease dont delete this. Everytime you fwd this, bill gates will pay you $5000000!!!"

 

[DJFuji]

We got hit with this on friday. Apparently it hit our base at Quantico, VA and spread throughout the MCEN (marine corps enterprise network) because people are really stupid when it comes to attachments.

"Oh what's this? a 'runme.txt.vbs' file attached to an email i got from someone i dont know? Let's run it and see what happens!"

 

[Jzero]

Originally posted by: SagaLore

Originally posted by: spidey07
Oh,

And all of our mail is scanned at least 6 times before it hits a desktop.

Internet E-mail - scanned by two separate e-mail scubbers before it even gets to our SMTP gateway.
Scanned on the SMTP gateway
Scanned on the MTA
Scanned on the mailbox servers
Scanned on the PC.

Still got thru because the patter files weren't out yet. We just don't get viruses, but this one made it.

At our company, we

1. Block a list of attachments at the SMTP gateway
2. Scan email on the mail server with one engine
3. Scan files on the pc with another engine

Virus signatures are only good if they exist. At the STMP gateway we use a program made by TFSTech called the Secure Messaging Server, which allows me to customize the filters. Currently we block anything that can execute and archive it - if the user really did need it, we just retrieve it after looking it over. As soon as MIMAIL made the news we just put in a policy to block Message.zip.

Company - 1
Viruses - 0

Now HERE is someone else with a clue. Definitions-based AV software just isn't enough. I spotted this virus early on. The president of my company got 10 of these messages all at once, but he's wise enough to call me before he starts poking around. I use a rules-based filter called Antigen. Just updated my attachment filter to block message.zip and that was the end of that.

My filter blocks all common virus attachments - exe, bat, scr, pif, inf, com, jar, etc. It works like a champ. The definition-based AV on the mail server hasn't made a peep since I started using it. Def-based AV now just serves as the backup.

 

[friedpie]

Originally posted by: Tabb
God why do people make sutff like this. Why do people even open things like this anyway. Any have decent computer user should know if its a email you dont know about and comes with a strrange attachment. DONT OPEN IT!

This thing tricked people into thinking it was legit. It would send mail to people disguised as coming from admin@domain.com with domain.com being their place of employment. At Kellog, it would be admin@kellog.com, at texaco, it would be admin@texaco.com. With thousands of people at these companies, someone was bound to fall for it. Once it gets in it gets the address book and starts propagating. Where I work, people have thousands of addresses in their address books.

 

[yoda291]

Originally posted by: rh71
Why is this such a big deal? From what I can tell, all it does is email more and more people... nothing malicious.. or did I miss something?

I received the "admin" email at my work inbox and saw the message.zip. Didn't open it though... apparently someone on our network did...

But again, all it does is email more people with it, am I wrong ?

If you say "dancing baby" to a lot of system admins, you're gonna get reactions ranging from shudders to seizures because everyone spamming that damn movie to all their friends and family was an email nightmare for many shops at the time...especially large shops.

 

[vi edit]

Now HERE is someone else with a clue. Definitions-based AV software just isn't enough. I spotted this virus early on. The president of my company got 10 of these messages all at once, but he's wise enough to call me before he starts poking around. I use a rules-based filter called Antigen. Just updated my attachment filter to block message.zip and that was the end of that.

My filter blocks all common virus attachments - exe, bat, scr, pif, inf, com, jar, etc. It works like a champ. The definition-based AV on the mail server hasn't made a peep since I started using it. Def-based AV now just serves as the backup.

Yep. If it doesn't end in .zip, .doc, .xls, or .pdf then it just doesn't come through. Keeps out 99% of "bad" things.

 

[T3C]

when i checked the support email this morning i had 750 people who forwarded us this message, this is going to be a mess.

 

[MercenaryForHire]

Originally posted by: cybpnk
when i checked the support email this morning i had 750 people who forwarded us this message, this is going to be a mess.

:Q

- M4H

 

[brtspears2]

Well, my network here got protected before the virus was allowed to destroy. Too bad I was destroyed internally, aka hundreds of users going "OMG NOOOES a virus" to me in my email.

 

[all168]

Originally posted by: Tabb
God why do people make sutff like this. Why do people even open things like this anyway. Any have decent computer user should know if its a email you dont know about and comes with a strrange attachment. DONT OPEN IT!

Because most of the users think if the letter from admin@domain_name.com should be reliable and most likely came from the administrator of the company, and not everyone in the company is IT pro and know what is the different between admin & administrator.

 

[Shuxclams]

Here is a new one.....

From Microsoft Mon Aug 4 07:39:49 2003
X-Apparently-To: XXXXXXXXX@yahoo.com via 66.218.78.180; 04 Aug 2003 07:43:06 -0700 (PDT)
Return-Path: <windowssecurity@email.microsoft.com>
Received: from 209.11.164.116 (EHLO mh.microsoft.m0.net) (209.11.164.116) by mta114.mail.sc5.yahoo.com with SMTP; 04 Aug 2003 07:43:05 -0700 (PDT)
Received: from [209.11.138.130] by 10.206.1.116 (mh.microsoft.m0.net) with SMTP; 04 Aug 2003 07:47:21 +0000
Message-ID: <9707675316.1060007989995@m0.net>
Date: Mon, 4 Aug 2003 07:39:49 -0700 (PDT)
From: "Microsoft" <windowssecurity@email.microsoft.com> | This is spam | Add to Address Book
Reply-to: windowssecurity@email.microsoft.com
To: XXXXXXXX@yahoo.com
Subject: Security Update for Microsoft Windows
Errors-to: windowssecurity@email.microsoft.com
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="---=_NEXT_f6cd6652e4"
X-cid: 9707675316
X-pid: 228387
Content-Length: 1737

*** PLEASE NOTE: Due to the critical importance of this message,
this communication is being sent to all of our Microsoft customers
to alert you of this Security Bulletin. ***

It has been widely reported in the press and on Microsoft's own web
site, that on July 16th we released a critical security bulletin
(MS03-026) and a patch regarding a vulnerability in the Windows
operating system. We wanted to make sure that if you were not aware
of this bulletin and corresponding patch that you take a moment to
go to http://www.microsoft.com/security/ security_bulletins/
ms03-026.asp to find out if you are running an affected version of
the Windows operating system and get the specific information as to
what you need to do to apply this patch if you have not already.

Although we encourage you to pay attention to all security bulletins
and to deploy patches in a timely manner we wanted to call special
attention to this particular instance as we have become aware of
some activity on the internet that we believe increases the
likelihood of the exploitation of this vulnerability. Specifically,
code has been published on several web sites that would allow
someone to spread a worm/virus that takes advantage of the
vulnerability in question thereby impacting your
computing environment.

Although it is our goal to produce the most secure and dependable
products possible, we do become aware of these types of
vulnerabilities. In order to minimize the risks of such
vulnerabilities to your computing environment, we encourage you to
subscribe to the Windows Update service by going to
http://www.windowsupdate.com and also subscribe to Microsoft's
security notification service at http://register.microsoft.com/
subscription/subscribeme.asp?ID=135 if you have not already. By
subscribing to these two services you will automatically receive
information on the latest software updates and the latest security
notifications thereby improving the likelihood that your computing
environment will be safe from worms and viruses that occur.

We apologize for any inconvenience the implementation of this patch
might cause and appreciate you taking the time to update
your system.

Thank you,
Microsoft Corporation

Another good trick.........












SHUX

 

[yoda291]

Originally posted by: Tabb
God why do people make sutff like this. Why do people even open things like this anyway. Any have decent computer user should know if its a email you dont know about and comes with a strrange attachment. DONT OPEN IT!

People code virii for different reasons.

Some people code them to "pwn" many many boxes on the net very quickly so that they can glean information or use the box as a relay. Think of it as a mass hack. These people are just scum.

Sometimes people code them to attack a particular infrastructure. If you look at the history of some virii, they hit particular organizations harder than others. For instance, the recent RPC bulletin out from MS hit colleges and small business very hard....much harder than large firms like MS was hit.

Some code them to make particular security holes in OSes more apparent and see themselves as modern-day cyber heroes for doing so by spreading the word on informational security. These people I call morons...pretty much because they are. I once spoke to one bastid who launched into a litany of political and social drivel spawned from reading too many issues of 2600 and that by writing exploits, he was making for a more secure net. He really did believe he was some sort of messiah to the littler people. I wanted to hit him SO hard....

I'm sure there are more reasons, but that's all I can think of now.

 

[cain]

ah crap, virus everyday.

 

[Jzero]

Originally posted by: Shuxclams
Here is a new one.....

From Microsoft Mon Aug 4 07:39:49 2003
X-Apparently-To: XXXXXXXXX@yahoo.com via 66.218.78.180; 04 Aug 2003 07:43:06 -0700 (PDT)
Return-Path: <windowssecurity@email.microsoft.com>
Received: from 209.11.164.116 (EHLO mh.microsoft.m0.net) (209.11.164.116) by mta114.mail.sc5.yahoo.com with SMTP; 04 Aug 2003 07:43:05 -0700 (PDT)
Received: from [209.11.138.130] by 10.206.1.116 (mh.microsoft.m0.net) with SMTP; 04 Aug 2003 07:47:21 +0000
Message-ID: <9707675316.1060007989995@m0.net>
Date: Mon, 4 Aug 2003 07:39:49 -0700 (PDT)
From: "Microsoft" <windowssecurity@email.microsoft.com> | This is spam | Add to Address Book
Reply-to: windowssecurity@email.microsoft.com
To: XXXXXXXX@yahoo.com
Subject: Security Update for Microsoft Windows
Errors-to: windowssecurity@email.microsoft.com
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="---=_NEXT_f6cd6652e4"
X-cid: 9707675316
X-pid: 228387
Content-Length: 1737

*** PLEASE NOTE: Due to the critical importance of this message,
this communication is being sent to all of our Microsoft customers
to alert you of this Security Bulletin. ***

It has been widely reported in the press and on Microsoft's own web
site, that on July 16th we released a critical security bulletin
(MS03-026) and a patch regarding a vulnerability in the Windows
operating system. We wanted to make sure that if you were not aware
of this bulletin and corresponding patch that you take a moment to
go to http://www.microsoft.com/security/ security_bulletins/
ms03-026.asp to find out if you are running an affected version of
the Windows operating system and get the specific information as to
what you need to do to apply this patch if you have not already.

Although we encourage you to pay attention to all security bulletins
and to deploy patches in a timely manner we wanted to call special
attention to this particular instance as we have become aware of
some activity on the internet that we believe increases the
likelihood of the exploitation of this vulnerability. Specifically,
code has been published on several web sites that would allow
someone to spread a worm/virus that takes advantage of the
vulnerability in question thereby impacting your
computing environment.

Although it is our goal to produce the most secure and dependable
products possible, we do become aware of these types of
vulnerabilities. In order to minimize the risks of such
vulnerabilities to your computing environment, we encourage you to
subscribe to the Windows Update service by going to
http://www.windowsupdate.com and also subscribe to Microsoft's
security notification service at http://register.microsoft.com/
subscription/subscribeme.asp?ID=135 if you have not already. By
subscribing to these two services you will automatically receive
information on the latest software updates and the latest security
notifications thereby improving the likelihood that your computing
environment will be safe from worms and viruses that occur.

We apologize for any inconvenience the implementation of this patch
might cause and appreciate you taking the time to update
your system.

Thank you,
Microsoft Corporation

Another good trick.........












SHUX

What's the trick? People keep fwding me this (because I'm the security admin) and it is 100% shady, but I can't seem to prove it. The URLs of the actual e-mail appear to point back to Microsoft.com, but different URLs than the ones they are aliased to.

It's weird.

 

[Mr.IncrediblyBored]

Originally posted by: Jzero
What's the trick? People keep fwding me this (because I'm the security admin) and it is 100% shady, but I can't seem to prove it. The URLs of the actual e-mail appear to point back to Microsoft.com, but different URLs than the ones they are aliased to.

It's weird.

If you view the HTML source of the email, you'll see a <img src=> tag going to www.m0.net. A buddy at work thinks its a company that Microsoft outsourced to "bulk email" this critical update message.

I don't buy it. The second you open the HTML email, this m0.net knows. What information they store, and what they do with it... I haven't a clue. That's why I am not an admin.

 

[pecel]

Originally posted by: MrYogi

Originally posted by: minendo
My server and the schools mail server just got nailed. This is a mess.

same here in oklahoma

hey Yogi, are u from OU?

 

[Jzero]

Originally posted by: KnightBreed

Originally posted by: Jzero
What's the trick? People keep fwding me this (because I'm the security admin) and it is 100% shady, but I can't seem to prove it. The URLs of the actual e-mail appear to point back to Microsoft.com, but different URLs than the ones they are aliased to.

It's weird.

If you view the HTML source of the email, you'll see a <img src=> tag going to www.m0.net. A buddy at work thinks its a company that Microsoft outsourced to "bulk email" this critical update message.

I don't buy it. The second you open the HTML email, this m0.net knows. What information they store, and what they do with it... I haven't a clue. That's why I am not an admin.

Yeah it's really weird. I didn't bother clicking on any of the links, but I certainly scratched my head for quite some time trying to figure out why it makes me so nervous. I've only been in the business for 2 years, but that's long enough for me to know to trust my gut when something looks suspicious

 

[Sketcher]

1. All Domain e-mail scrubbed 4-ways before it gets in or out of my system.

2. SMTP Gateway and Hardware Based Filtering configured for 'rules' blocking of exe, bat, scr, com etc. and unique sender & Subject criteria such as "admin@", message.zip, account and variations thereof.

3. Desktops locked down with local AV regulated by Central Management station and auto-updated daily. On Demand full HD scan and install & update configurable via Central Server if it needs pushing.

4. All internet traffic filtered and locked down to the java & html level so no content can be downloaded w/out IS Dept approval. Hey, if you really really need it - then you can ask nicely

Def's
Rules
Locks

I was at home playin' w/the kids when a friend called me about the mimail issue. hadn't hit most of the AV Def's yet but I'm not of a mind to sit around waitin' for Definitions to post! I Citrix'd into my network and updated my rules to block the bad stuff and went back to playin' w/the kids.

It's really not a matter of "IF", but "WHEN" you're infected - but there's alot of simple, inexpensive precaution that can be taken to minimize your exposure to unecessary risk.

They say there's a cost of doing business. I say there's a greater cost in NOT being able to do business.

(heh heh, my next post will be from SA hell caused by a creative user who "didn't do anything' when their computer mysteriously started 'doing stuff' )

System's Administrator

 

[MainFramed]

thanks for the heads up