wendy.zip - encrypted - mimail

Mariano Absatz mailscanner at LISTS.COM.AR
Thu Dec 4 14:53:41 GMT 2003 

Yesterday, minutes before 17:00 hs local (20:00 GMT) I got the latest 
McAffe update. From the readme (graciously logged by Tony's mcaffee-
autoupdate):

#    Product Release:     December 3, 2003
# 
#    - DAT Version:       4307
#    - Engine Version:    4.2.60
...
# NEW DETECTIONS
...
# INTERNET WORM (33)
# ------------------
...
# W32/MIMAIL.L at MM <--
...
# NEW REMOVALS
# INTERNET WORM (33)
# ------------------
...
# W32/MIMAIL.L at MM <--
...

However, later yesternight, a wendy.zip passed thru... would that be 
innocuous? or a newer version of mimail? 

here's the log:
Dec  3 22:38:06 alerce MailScanner[358]: Virus and Content 
                       Scanning: Starting 
Dec  3 22:38:06 alerce MailScanner[358]: Filename Checks: 
                       Allowing wendy.zip 
Dec  3 22:38:06 alerce MailScanner[358]: Filename Checks: 
                       Allowing msg-358-70.txt 
Dec  3 22:38:06 alerce MailScanner[358]: Filetype Checks: 
                       Allowing wendy.zip 
Dec  3 22:38:06 alerce MailScanner[358]: Filetype Checks: 
                       Allowing msg-358-70.txt 
Dec  3 22:38:06 alerce MailScanner[358]: ZM: message 1612517 
                       renamed into 1563662 
Dec  3 22:38:06 alerce MailScanner[358]: Uninfected: Delivered 1 messages 


:-(

NAI says ( http://vil.nai.com/vil/content/v_100856.htm ) that mimail.m is 
detected by 4307... however, I don't find it in the logs of the readme's:

$ grep -i mimail mcaffee-autoupdate.log
# W32/MIMAIL.C at MM <--
# W32/MIMAIL.C at MM <--
# W32/MIMAIL.I at MM <--
# W32/MIMAIL.I.HTA
# W32/MIMAIL.I at MM <--
# W32/MIMAIL.I.HTA
# W32/MIMAIL.HTA
# W32/MIMAIL.I!DATA
# W32/MIMAIL.J at MM  <--
# W32/MIMAIL.J at MM  <--
# W32/MIMAIL.L at MM <--
# W32/MIMAIL.L at MM <--

Does anyone have a copy of mimail.l & mimail.m that would like to send to 
me so I can test it? (please contact me off-list so I tell you to which 
address)

Otherwise, a sample of possible subjects might help me find one thru one 
of my unprotected spamtraps

TIA

El 4 Dec 2003 a las 12:25, Martin Hepworth escribió:

> >
> > done,
> > together with my email to this list.
> >
> > apropos, mimail-l was detected without problems but not mimail-m
> > http://www.sophos.com/virusinfo/analyses/w32mimailm.html
> >
> > mimail-m will be recogniced since *today*
> >
> >
> > $ sweep -archive -mime /data4/doku/viren/mimail/
> >
> > Password protected file
> > /data4/doku/viren/mimail/wendy-encrypted.eml/wendy.zip/wendy.exe
> >  >>> Virus 'W32/Mimail-M' found in file
> > /data4/doku/viren/mimail/wendy-encrypted.eml/wendy.zip
> > Password protected file /data4/doku/viren/mimail/wendy.zip/wendy.exe
> >  >>> Virus 'W32/Mimail-M' found in file /data4/doku/viren/mimail/wendy.zip
> >
> > 2 files swept in 1 second.
> > 2 errors were encountered.
> > 2 viruses were discovered.
> > 2 files out of 2 were infected.
> >
> > --
> > shrek-m
> 
> yeah I saw an update come in this morning...I dunno if clamAV works
> better, nothing triggered either overnight so...
> 
> --
> Martin Hepworth
> Snr Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300
> 
> 
> **********************************************************************
> 
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
> 
> This footnote confirms that this email message has been swept
> for the presence of computer viruses and is believed to be clean.
> 
> **********************************************************************


--
Mariano Absatz
El Baby
----------------------------------------------------------
If I held you any closer I would be on the other side of you.
      -- Groucho Marx

More information about the MailScanner mailing list