[Mimedefang] Password encripted zip virus.

Joseph Brennan brennan at columbia.edu
Thu Dec 4 11:06:41 EST 2003 

> Now, for the really interesting part.  According to:
> http://www.sophos.com/virusinfo/analyses/w32mimailm.html
> Mimail-M has two variants.  The first is a simple variation,
> now attachment name, new targets.


I see two types of entry in our logs last night.  Recipients
changed to xxx at columbia.edu.  Wrapped for clarity.  Total 150.
The subject is RE:Greg not Re:Greg as stated at sophos.com.


One type hit the Spamassassin alarm.  The sender differed each time.
This is the type with zip file attachments; we allow zip files.

Dec  3 18:07:25 dewberry.cc.columbia.edu mimedefang.pl[22863]:
  MDLOG,hB3N7KBB005432,spam,10.113 DATE_IN_FUTURE_06_12
  FORGED_HOTMAIL_RCVD2 FORGED_MUA_OUTLOOK FROM_ENDS_IN_NUMS
  MSGID_FROM_MTA_SHORT NO_REAL_NAME PENIS_ENLARGE2,68.118.76.131,
  <dlkg0p3 at yahoo.com>,<xxx at columbia.edu>,RE:Greg

Dec  3 17:04:36 dewberry.cc.columbia.edu mimedefang.pl[640]:
  MDLOG,hB3M4VBB010563,spam,10.437 DATE_IN_FUTURE_06_12
  FORGED_MUA_OUTLOOK FORGED_YAHOO_RCVD FROM_ENDS_IN_NUMS
  MSGID_FROM_MTA_SHORT NO_REAL_NAME PENIS_ENLARGE2,80.46.150.246,
  <3p1au4 at delphi.com>,<xxx at columbia.edu>,RE:Greg


The other hit the Mimedefang attachment name test.  Again the
sender differed each time.  I do not see any with subjects other
than 'RE:Greg', grepping for 'wendy.exe'.

Dec  3 18:56:18 dewberry.cc.columbia.edu mimedefang.pl[9627]:
  MDLOG,hB3NuDBB018375,virus,
  bad_filename_3 wendy.exe application/x-msdownload,,
  <n2i at mail.com>,<xxx at columbia.edu>,RE:Greg

Dec  3 19:46:22 dewberry.cc.columbia.edu mimedefang.pl[21340]:
  MDLOG,hB40kIBB000459,virus,
  bad_filename_3 wendy.exe application/x-msdownload,,
  <29h9oqr16 at yahoo.com>,<xxx at columbia.edu>,RE:Greg


Interestingly there are NONE AT ALL in today's log, which
started seven hours ago at 04:00.  Just a flurry, and then
they stop.  That's odd.  Has it morphed?  Is it timed?

Joseph Brennan         Columbia University in the City of New York
Academic Technologies Group                   brennan at columbia.edu

More information about the MIMEDefang mailing list