wendy.zip - encrypted - mimail

Thu Dec 4 14:57:28 GMT 2003

> -----Message d'origine-----
> De : Mariano Absatz [mailto:mailscanner at LISTS.COM.AR]
> Envoyé : Thursday, December 04, 2003 9:54 AM
> À : MAILSCANNER at JISCMAIL.AC.UK
> Objet : Re: wendy.zip - encrypted - mimail
> 
> 
> Yesterday, minutes before 17:00 hs local (20:00 GMT) I got the latest 
> McAffe update. From the readme (graciously logged by Tony's mcaffee-
> autoupdate):
> 
> #    Product Release:     December 3, 2003
> # 
> #    - DAT Version:       4307
> #    - Engine Version:    4.2.60
> ...
> # NEW DETECTIONS
> ...
> # INTERNET WORM (33)
> # ------------------
> ...
> # W32/MIMAIL.L at MM <--
> ...
> # NEW REMOVALS
> # INTERNET WORM (33)
> # ------------------
> ...
> # W32/MIMAIL.L at MM <--
> ...
> 
> However, later yesternight, a wendy.zip passed thru... would that be 
> innocuous? or a newer version of mimail? 
> 
yup, it might be mimail.m.

Ugo


> here's the log:
> Dec  3 22:38:06 alerce MailScanner[358]: Virus and Content 
>                        Scanning: Starting 
> Dec  3 22:38:06 alerce MailScanner[358]: Filename Checks: 
>                        Allowing wendy.zip 
> Dec  3 22:38:06 alerce MailScanner[358]: Filename Checks: 
>                        Allowing msg-358-70.txt 
> Dec  3 22:38:06 alerce MailScanner[358]: Filetype Checks: 
>                        Allowing wendy.zip 
> Dec  3 22:38:06 alerce MailScanner[358]: Filetype Checks: 
>                        Allowing msg-358-70.txt 
> Dec  3 22:38:06 alerce MailScanner[358]: ZM: message 1612517 
>                        renamed into 1563662 
> Dec  3 22:38:06 alerce MailScanner[358]: Uninfected: 
> Delivered 1 messages 
> 
> 
> :-(
> 
> NAI says ( http://vil.nai.com/vil/content/v_100856.htm ) that 
> mimail.m is 
> detected by 4307... however, I don't find it in the logs of 
> the readme's:
> 
> $ grep -i mimail mcaffee-autoupdate.log
> # W32/MIMAIL.C at MM <--
> # W32/MIMAIL.C at MM <--
> # W32/MIMAIL.I at MM <--
> # W32/MIMAIL.I.HTA
> # W32/MIMAIL.I at MM <--
> # W32/MIMAIL.I.HTA
> # W32/MIMAIL.HTA
> # W32/MIMAIL.I!DATA
> # W32/MIMAIL.J at MM  <--
> # W32/MIMAIL.J at MM  <--
> # W32/MIMAIL.L at MM <--
> # W32/MIMAIL.L at MM <--
> 
> Does anyone have a copy of mimail.l & mimail.m that would 
> like to send to 
> me so I can test it? (please contact me off-list so I tell 
> you to which 
> address)
> 
> Otherwise, a sample of possible subjects might help me find 
> one thru one 
> of my unprotected spamtraps
> 
> TIA
> 
> El 4 Dec 2003 a las 12:25, Martin Hepworth escribió:
> 
> > >
> > > done,
> > > together with my email to this list.
> > >
> > > apropos, mimail-l was detected without problems but not mimail-m
> > > http://www.sophos.com/virusinfo/analyses/w32mimailm.html
> > >
> > > mimail-m will be recogniced since *today*
> > >
> > >
> > > $ sweep -archive -mime /data4/doku/viren/mimail/
> > >
> > > Password protected file
> > > /data4/doku/viren/mimail/wendy-encrypted.eml/wendy.zip/wendy.exe
> > >  >>> Virus 'W32/Mimail-M' found in file
> > > /data4/doku/viren/mimail/wendy-encrypted.eml/wendy.zip
> > > Password protected file 
> /data4/doku/viren/mimail/wendy.zip/wendy.exe
> > >  >>> Virus 'W32/Mimail-M' found in file 
> /data4/doku/viren/mimail/wendy.zip
> > >
> > > 2 files swept in 1 second.
> > > 2 errors were encountered.
> > > 2 viruses were discovered.
> > > 2 files out of 2 were infected.
> > >
> > > --
> > > shrek-m
> > 
> > yeah I saw an update come in this morning...I dunno if clamAV works
> > better, nothing triggered either overnight so...
> > 
> > --
> > Martin Hepworth
> > Snr Systems Administrator
> > Solid State Logic
> > Tel: +44 (0)1865 842300
> > 
> > 
> > 
> **********************************************************************
> > 
> > This email and any files transmitted with it are confidential and
> > intended solely for the use of the individual or entity to whom they
> > are addressed. If you have received this email in error 
> please notify
> > the system manager.
> > 
> > This footnote confirms that this email message has been swept
> > for the presence of computer viruses and is believed to be clean.
> > 
> > 
> **********************************************************************
> 
> 
> --
> Mariano Absatz
> El Baby
> ----------------------------------------------------------
> If I held you any closer I would be on the other side of you.
>       -- Groucho Marx
>