RE: WORM_MIMAIL.A Anyone have any info on what this does yet?

Seems like the behavior is pretty much universal. Since the posting, I've received two messages through the low weight / primary mail server; however, they were in quarantine. Thinking they might be the original spam message, I checked the SMTP header and found out they were actually forwarded from a user's outside account. I should have known, the sender wasn't admin@[domain.com].

-----Original Message-----
From: James C. Slora, Jr. [mailto:Jim.Slora@phra.com] Sent: Monday, August 04, 2003 11:56 AM
To: att13543
Subject: RE: WORM_MIMAIL.A Anyone have any info on what this does yet?

att13543 wrote Monday, August 04, 2003 9:54 AM

> I'd be interested if anyone can correlate what I've seen: we have 2
MX
> records, one weighted at 10 (primary) and one at 20 (secondary). Of
the
> 200 or so MiMail's we've seen 100% have come through our SECONDARY
mail
> server. Maybe the SMTP engine was written poorly, or maybe it was
this
> way on purpose?

All of ours were sent to one specific mail server that is way down the priority list.

This matches previous spammed email malware patterns, and I cannot recall any previous worm that looked up all the mail servers and used the lowest-priority one. I'm guessing that the ones we have received were sent by the worm distributors rather than from infected machines. I've dropped them all before the full headers were delivered, so I don't have any way to positively verify this theory.

AV vendor descriptions say the worm takes SMTP server info from the infected computer, which is inconsistent with copies arriving through a low-priority mail server that user are not aware of.

Has anyone examined the message headers to see if there is a detectable difference between messages coming from an infected system and those spammed by the worm author?

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek