FWD:[threatnews] Malformed Zip Attachment Advisory

["- -" <erwinp21 () hotmail com>]

Dear Subscriber

Aliases:
W32/Mimail.c@mm, Worm_Mimail.C, W32/Mimail-C, Mimail.C

Description of Incident

The Mimail worm is today spreading in moderate numbers.  The worm is a mass
mailer, with an attached zip file (photos.zip),  which contains the
executable file photos.jpg.exe. The file cannot run without the user
extracting the executable  andrunning it. The worm fakes the sender's e-mail
address by composing it from 'james@' and the domain name of a recipient.
The worm tries to perform a DDoS (Distributed Denial of Service) attack on
the following sites:

        darkprofits.com
        darkprofits.net
        www.darkprofits.com
        www.darkprofits.net


Subject:

Re[2]: our private photos <random letters>


Attachments:

photos.zip


Message body:

Hello Dear!

Finaly i've found possibility to right u, my lovely girl
All our photos which i've made at the beach (even when u're without ur bh:))
photos are great! This evening i'll come and we'll make the best SEX

Right now enjoy the photos.

Kiss, James.


Severity:                       Medium
Incidence:                      Medium
Potential impact:       Low

Avoidance Action:

We have received reports that the attachment passed through a File Detector
scenario on MAILsweeper for SMTP 4.3.10 and  earlier.

As a precaution we advise possibly affected customers to apply a Text
Analyzer scenario using the string "possibility to  right" as this constant
appears in the message and is unlikely to generate false positives.

Other customers should be fully protected by blocking executable file types.

Antivirus updates should be applied where available.


Reference Links:

If any of the links below extend over a single line in your mail client, cut
and paste the entire URL.

<http://www.sophos.com/virusinfo/analyses/w32mimailc.html>
<http://www.avp.ch/avpve/worms/email/mimailc.stm>
<http://www.symantec.com/avcenter/venc/data/w32.mimail.c () mm html>
<http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL
.C>
<http://vil.nai.com/vil/content/v_100795.htm>
<http://www.f-secure.com/v-descs/bics.shtml>

Pete Simpson
ThreatLab Manager
------------------------------------------------------------------------------------------------------------------------------------------------
Dear Subscriber,

Over the weekend variants D, E, F, G and H of the W32/Mimail mass mailing
worm were identiifed in the wild, but did not generally spread in
significant numbers. These variants are of particular interest to
MAILsweeper for SMTP users due to malformation of the zip file attachments.

We have seen samples of the zip files (all called readnow.zip and containing
readnow.doc.scr) that are deliberately malformed and may be classified as
binary by MAILsweeper.

We advise any customers who are not already doing so to block the
attachments with a File Detector scenario, using the explicit masks
"photos.zip" and "readnow.zip".

Work is under way to provide a patch to enable correct decomposition of
similarly malformed zip files and customers will be advised of availability
in due course.

Pete Simpson
ThreatLab Manager
------------------------------------------------------------------------------------------------------------------------------------------------

_________________________________________________________________
Crave some Miles Davis or Grateful Dead?  Your old favorites are always 
playing on MSN Radio Plus. Trial month free! 
http://join.msn.com/?page=offers/premiumradio

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html