New Worm / Virus - WORM_MIMAIL.R?

[sam () neuroflux com]

All:

We are experiencing what appears to be a new varient of the MIMAIL virus. 
We've had several machines infected now, and I've created a quick
signature:

alert tcp any any -> any any (msg: "Test Virus Pattern"; content:
"represented in 7-bit ASCII"; nocase; sid:1000569;)

The contents of the message, atleast from what we have gathered is this:

The subject is: Hi

The body, at least once it comes into our exchange server is:

represented in 7-bit ASCII

The attachments are stored inside an .zip file, but are either .scr, .pif,
.exe etc. etc.

What we've discovered thus far:

* The worm also has its own SMTP engine, and therefore any infected
machine started mass mailing to the internet.

* We've been on the phone with Symantec and Trend, and they are currently
investigating and creating new signatures.

* Some of the attachments come in as status.zip.

* Thought I'd pass this along incase anyone else is stumped.

-Sam



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users