[Mimedefang] Password encripted zip virus.
Joseph Brennan
brennan at columbia.edu
Thu Dec 4 11:06:41 EST 2003
> Now, for the really interesting part. According to:
> http://www.sophos.com/virusinfo/analyses/w32mimailm.html
> Mimail-M has two variants. The first is a simple variation,
> now attachment name, new targets.
I see two types of entry in our logs last night. Recipients
changed to xxx at columbia.edu. Wrapped for clarity. Total 150.
The subject is RE:Greg not Re:Greg as stated at sophos.com.
One type hit the Spamassassin alarm. The sender differed each time.
This is the type with zip file attachments; we allow zip files.
Dec 3 18:07:25 dewberry.cc.columbia.edu mimedefang.pl[22863]:
MDLOG,hB3N7KBB005432,spam,10.113 DATE_IN_FUTURE_06_12
FORGED_HOTMAIL_RCVD2 FORGED_MUA_OUTLOOK FROM_ENDS_IN_NUMS
MSGID_FROM_MTA_SHORT NO_REAL_NAME PENIS_ENLARGE2,68.118.76.131,
<dlkg0p3 at yahoo.com>,<xxx at columbia.edu>,RE:Greg
Dec 3 17:04:36 dewberry.cc.columbia.edu mimedefang.pl[640]:
MDLOG,hB3M4VBB010563,spam,10.437 DATE_IN_FUTURE_06_12
FORGED_MUA_OUTLOOK FORGED_YAHOO_RCVD FROM_ENDS_IN_NUMS
MSGID_FROM_MTA_SHORT NO_REAL_NAME PENIS_ENLARGE2,80.46.150.246,
<3p1au4 at delphi.com>,<xxx at columbia.edu>,RE:Greg
The other hit the Mimedefang attachment name test. Again the
sender differed each time. I do not see any with subjects other
than 'RE:Greg', grepping for 'wendy.exe'.
Dec 3 18:56:18 dewberry.cc.columbia.edu mimedefang.pl[9627]:
MDLOG,hB3NuDBB018375,virus,
bad_filename_3 wendy.exe application/x-msdownload,,
<n2i at mail.com>,<xxx at columbia.edu>,RE:Greg
Dec 3 19:46:22 dewberry.cc.columbia.edu mimedefang.pl[21340]:
MDLOG,hB40kIBB000459,virus,
bad_filename_3 wendy.exe application/x-msdownload,,
<29h9oqr16 at yahoo.com>,<xxx at columbia.edu>,RE:Greg
Interestingly there are NONE AT ALL in today's log, which
started seven hours ago at 04:00. Just a flurry, and then
they stop. That's odd. Has it morphed? Is it timed?
Joseph Brennan Columbia University in the City of New York
Academic Technologies Group brennan at columbia.edu
More information about the MIMEDefang
mailing list