Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: New Worm / Virus - WORM_MIMAIL.R?

From: <CGhercoias () TWEC COM>
Date: Tue, 27 Jan 2004 07:58:24 -0500
Yes, that's the W32.Novarg.A@mm worm.

http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.
html

Set the spam appliance (if you have any) or the mail server to drop the
.zip, .scr, .bat, .exe etc attachments.
Thank you for signature, it works and I just renamed the "Test Virus
Pattern" with "W32.Novarg.A@mm worm".

Thank you, 
___________________________
Catalin Ghercoias 
WEB/Network Security Administrator 

Office Phone: +(518) 452-1242 Ext.7435 
Fax: (518) 452-4768 
Mail: Catalin Ghercoias 
website: http://www.fye.com 

The content of this communication is classified as Trans World
Entertainment Confidential and Proprietary Information. As such, it is
intended solely for the use of the individual or entity to whom it is
addressed and only others who are authorized to receive it. If you are
not one of those, you are hereby notified that any disclosure, copying,
distribution, or action in reliance on the contents of this information
is strictly prohibited and may be unlawful. If you have received this
communication in error, please notify us immediately by responding to
this communication and then deleting it from your system. 

 

-----Original Message-----
From: sam () neuroflux com [mailto:sam () neuroflux com] 
Sent: Monday, January 26, 2004 4:43 PM
To: snort-sigs () lists sourceforge net
Cc: snort-users () lists sourceforge net
Subject: [Snort-users] New Worm / Virus - WORM_MIMAIL.R?


All:

We are experiencing what appears to be a new varient of the MIMAIL
virus. 
We've had several machines infected now, and I've created a quick
signature:

alert tcp any any -> any any (msg: "Test Virus Pattern"; content:
"represented in 7-bit ASCII"; nocase; sid:1000569;)

The contents of the message, atleast from what we have gathered is this:

The subject is: Hi

The body, at least once it comes into our exchange server is:

represented in 7-bit ASCII

The attachments are stored inside an .zip file, but are either .scr,
.pif,
.exe etc. etc.

What we've discovered thus far:

* The worm also has its own SMTP engine, and therefore any infected
machine started mass mailing to the internet.

* We've been on the phone with Symantec and Trend, and they are
currently
investigating and creating new signatures.

* Some of the attachments come in as status.zip.

* Thought I'd pass this along incase anyone else is stumped.

-Sam



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: