Magistr that uses the MIME header exploit...

From: Mosby, Christopher L <CLMosby(at)mail.bhi-erc.com>
Date: Tue Dec 03 2002 - 18:24:19 EST

I was wondering if anyone has heard of a variant of Magistr that uses the MIME header vulnerability (like Nimda and others use).  

The reason that I am asking is that we had an exe stopped at our mail relayer today (we stop all exe's like good admins should) and here is what the header looked like:  

------=_NextPart_000_0057_016F6198.377198C0

Content-Type: image/gif; name="leaving.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="leaving.exe"
 

When I dropped the file on my machine, Norton AntiVirus Corporate Edition detects and cleans the file as follows:  

Alert: Virus Found
Computer: COMPUTO

User: clmosby
Date: 12/03/2002
Time: 02:33:00 PM

Virus Name: W32.Magistr.39921@mm
File Path: D:\relayer\leaving.exe
Severity: Critical
Requested Action: Clean
Actual Action: Clean  

Now we have stopped Magistr here on many occasions, and it has never come in using the MIME header exploit before. All the info that I can find from Symantec on this variant does not list it as using the MIME header exploit either. I have also looked at McAfee and Trend Micro's description of this variant and they do not have it using the MIME header exploit either.  

So with that in mind, unless someone out there knows something I don't, this looks like a particularly nasty new version of Magistr.  

Chris Mosby
ERC SMS/Virus Protection Administrator
Computer Virus Response Team Administrator Bechtel Hanford Inc.   Received on Wed Dec 4 16:38:52 2002