[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 600/03 - Malicious Software Report



-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 600/03 dated 31.10.03  Time: 21:28
   UNIRAS is part of NISCC (National Infrastructure Security Co-ordination 
Centre)
- ---------------------------------------------------------------------------------- 

   UNIRAS material is also available from its website at www.uniras.gov.uk
   Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

Malicious Software Report
NAME: W32/Mimail.c@MM
ALIAS: I-Worm.WatchNet, W32/Bics@MM

UNIRAS Comment
==============

AVS suppliers are currently reporting this virus as a MEDIUM or HIGH
threat, and numerous instances have been seen in the UK over the past
24 hours. Most vendors have issued updates to detect and remove the
worm; organizations should ensure these are deployed without delay.

Detail
======

W32/Mimail.c is a mass-mailing worm.  It constructs messages similar
in form to the following:

   Subject : Re[2]: our private photos (plus additional spaces then random 
characters)
   Attachment : PHOTOS.ZIP (12,958 bytes) which contains PHOTOS.JPG.EXE 
(12,832 bytes)

   Hello Dear!,
   Finally, i've found possibility to right u, my lovely girl :)
   All our photos which i've made at the beach (even when u're withou ur bh:))
   photos are great! This evening i'll come and we'll make the best SEX :)

   Right now enjoy the photos.
   Kiss, James.

and may have a forged FROM address of 'james@<fake domain>'.

The worm harvests e-mail addresses from the local filestore, and
attempts to propagate using a built-in SMTP engine.  It also appears
to have a denial-of-service function targeting several hard-wired
addresses which may be invoked if a valid Internet connection is
present.  (A check is made to see if www.google.com is reachable.)

Useful URLs
===========

http://vil.nai.com/vil/content/v_100795.htm
http://www.symantec.com/avcenter/venc/data/w32.mimail.c@xxxxxxx
http://www.f-secure.com/v-descs/bics.shtml
http://www.sophos.com/virusinfo/analyses/w32mimailc.html

- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by
telephone.  Not Protectively Marked information may be sent via e-mail to
uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Network Associates for the
information contained in this Briefing.
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original
author. Some of the information may have changed since it was
released. If the vulnerability affects you, it may be prudent to
retrieve the advisory from the canonical site to ensure that you
receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by
trade name, trademark manufacturer, or otherwise, does not constitute
or imply its endorsement, recommendation, or favouring by UNIRAS or
NISCC.  The views and opinions of authors expressed within this notice
shall not be used for advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any
errors or omissions contained within this briefing notice. In
particular, they shall not be liable for any loss or damage
whatsoever, arising from or in connection with the usage of
information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security
Teams (FIRST) and has contacts with other international Incident
Response Teams (IRTs) in order to foster cooperation and coordination
in incident prevention, to prompt rapid reaction to incidents, and to
promote information sharing amongst its members and the community at
large.
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQCVAwUBP6LTuopao72zK539AQFP8wQAo123xOg+gJdMeEpqEaCdagEo6rHLwqHU
20RZhjnZtAcD4oclDG9EgVEKQt6TStqrEcVTB8swTjUw0b3eanr3RE3bi3hCNA6s
EVbp6lSMvCTB5ewZuU4iFbQwKntdd2XDmJrX3FcnSpbJlNDBHGM1B9KCAvtaliZH
UkfxuJsaqzw=
=PEVr
-----END PGP SIGNATURE-----