Full Disclosure mailing list archives
FWD:[threatnews] Malformed Zip Attachment Advisory
From: "- -" <erwinp21 () hotmail com>
Date: Tue, 04 Nov 2003 15:13:10 +0000
Dear Subscriber Aliases: W32/Mimail.c@mm, Worm_Mimail.C, W32/Mimail-C, Mimail.C Description of Incident The Mimail worm is today spreading in moderate numbers. The worm is a mass mailer, with an attached zip file (photos.zip), which contains the executable file photos.jpg.exe. The file cannot run without the user extracting the executable andrunning it. The worm fakes the sender's e-mail address by composing it from 'james@' and the domain name of a recipient. The worm tries to perform a DDoS (Distributed Denial of Service) attack on the following sites: darkprofits.com darkprofits.net www.darkprofits.com www.darkprofits.net Subject: Re[2]: our private photos <random letters> Attachments: photos.zip Message body: Hello Dear! Finaly i've found possibility to right u, my lovely girl All our photos which i've made at the beach (even when u're without ur bh:)) photos are great! This evening i'll come and we'll make the best SEX Right now enjoy the photos. Kiss, James. Severity: Medium Incidence: Medium Potential impact: Low Avoidance Action: We have received reports that the attachment passed through a File Detector scenario on MAILsweeper for SMTP 4.3.10 and earlier. As a precaution we advise possibly affected customers to apply a Text Analyzer scenario using the string "possibility to right" as this constant appears in the message and is unlikely to generate false positives. Other customers should be fully protected by blocking executable file types. Antivirus updates should be applied where available. Reference Links: If any of the links below extend over a single line in your mail client, cut and paste the entire URL. <http://www.sophos.com/virusinfo/analyses/w32mimailc.html> <http://www.avp.ch/avpve/worms/email/mimailc.stm> <http://www.symantec.com/avcenter/venc/data/w32.mimail.c () mm html> <http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL .C> <http://vil.nai.com/vil/content/v_100795.htm> <http://www.f-secure.com/v-descs/bics.shtml> Pete Simpson ThreatLab Manager ------------------------------------------------------------------------------------------------------------------------------------------------ Dear Subscriber, Over the weekend variants D, E, F, G and H of the W32/Mimail mass mailing worm were identiifed in the wild, but did not generally spread in significant numbers. These variants are of particular interest to MAILsweeper for SMTP users due to malformation of the zip file attachments. We have seen samples of the zip files (all called readnow.zip and containing readnow.doc.scr) that are deliberately malformed and may be classified as binary by MAILsweeper. We advise any customers who are not already doing so to block the attachments with a File Detector scenario, using the explicit masks "photos.zip" and "readnow.zip". Work is under way to provide a patch to enable correct decomposition of similarly malformed zip files and customers will be advised of availability in due course. Pete Simpson ThreatLab Manager ------------------------------------------------------------------------------------------------------------------------------------------------ _________________________________________________________________Crave some Miles Davis or Grateful Dead? Your old favorites are always playing on MSN Radio Plus. Trial month free! http://join.msn.com/?page=offers/premiumradio
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- FWD:[threatnews] Malformed Zip Attachment Advisory - - (Nov 04)