RE: WORM_MIMAIL.A Anyone have any info on what this does yet?

Alex 'CAVE' Cernat [mailto:cave@cernat.ro]
> if the virus send emails throught local smtp connection, it's a dns
problem;
> but if the virus connects directly to the 'backup' smtp server, then,

This is not really lamerish IMO, it's more spammerish. Backup mail servers are often outside of the control of the mail admin - they are likely just store and forward servers. They are less likely to bounce messages, less likely to screen, and less likely to scan for viruses. Spammers love them. Virus distributors sometimes use spam techniques to get that first big bang from their worm.

That's why I'm curious to know if Mimail-infected machines will use this same low-priority MX technique to send to the next round of victims, or if infected machines send via normal MX priorities.

If infected machines use normal priorities, then incoming infected mail through low-priority MX hosts is likely an original distribution, which means the recipient is on the distributor's list of mail addresses and may be more likely to be a day zero recipient of the next email malware.