Re: WORM_MIMAIL.A Anyone have any info on what this does yet?

From: David Hawley, CISSP (rhino007_us_at_yahoo.com)
Date: 08/04/03

  • Next message: Ramsinghani, Aashish (EM, GECIS): "RE: Question for all" 
    Date: Mon, 4 Aug 2003 13:44:43 -0700 (PDT)
To: Alex 'CAVE' Cernat <cave@cernat.ro>, incidents@securityfocus.com

    Alex,

    This is a very general answer.

    When dealing with worms I have found it usefull to
    look at the source of the original Internet worm.
    It's available on the Net. IMHO the 10's of thousands
    of worms, viruses, etc often borrow from the
    predicesor. For example they will try and crack the
    passwd file, they will try and send info from critical
    systems files (ie. the original one sent the UNIX
    hosts and/or hosts.equiv file; newer varients, like
    the iloveyou virus 3 years ago use Outlooks address
    book), like that.

    When I spotted the iloveyou script/virus in my Outlook
    inbox I saved it to a floppy, and read it on my linux
    box in vi.

    Cheers, David

    David Hawley, CISSP
    UNIX & NT NET SECURITY, LLC
    714-697-8000

    --- Alex 'CAVE' Cernat <cave@cernat.ro> wrote:
    > On Mon, 4 Aug 2003 09:53:53 -0400
    > "att13543" <skid@attglobal.net> wrote:
    >
    > > I'd be interested if anyone can correlate what
    > I've seen: we have 2
    > > MX records, one weighted at 10 (primary) and one
    > at 20 (secondary).
    > > Of the 200 or so MiMail's we've seen 100% have
    > come through our
    > > SECONDARY mail server. Maybe the SMTP engine was
    > written poorly, or
    > > maybe it was this way on purpose?
    >
    > if the virus send emails throught local smtp
    > connection, it's a dns
    > problem;
    > but if the virus connects directly to the 'backup'
    > smtp server, then,
    > lamerish, the virus programmer probably believed
    > that bigger value
    > associated with mx meens 'prefered server', which is
    > the exactly
    > opposite as the rfc or any documentation available
    > :-)
    >
    > Alex
    >
    >
    ---------------------------------------------------------------------------
    >
    ----------------------------------------------------------------------------
    >

    __________________________________
    Do you Yahoo!?
    Yahoo! SiteBuilder - Free, easy-to-use web site design software
    http://sitebuilder.yahoo.com

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Ramsinghani, Aashish (EM, GECIS): "RE: Question for all"

    Relevant Pages

    • Re: Thursday Trump
      ... (virus, trojans and worms) ... And to penetrate a Mac OS X does not necessarily require ...
      (comp.sys.mac.misc)
    • Re: Linux and security
      ... >> windows. ... how would a virus come to ... > about worms? ... > against the threat of viruses, but someone will ALWAYS have to have ...
      (comp.os.linux.security)
    • Re: issue related to viruses
      ... A half-way decent worm is pretty easy to write, as opposed to a virus ... around with worms, we were using same the MHTML security zone spoofing ... Executable infectors are really hard if you don't normally do a lot of ... programming, and worms are so trivially easy as to make it not worth ...
      (comp.security.misc)
    • Re: Remote Procedure Call (RPC)
      ... You can rule out any virus problem. ... Initial configuration is not complete when the error ... >common worms such as blaster. ... >> Is there anyone out there familiar with the RPC problems ...
      (microsoft.public.windows.server.networking)
    • Everyones virus problem info....
      ... We have no worms or virusis coming from mailserver to our ... Now we are afraid of getting worms from webmail. ... >This worm infects through file sharing progams (kazaa, ... It is NOT recognized by any of the "leading virus ...
      (microsoft.public.security)