[Snort-users] New Worm / Virus - WORM_MIMAIL.R?

sam at ...5202... sam at ...5202...
Mon Jan 26 13:56:11 EST 2004


All:

We are experiencing what appears to be a new varient of the MIMAIL virus. 
We've had several machines infected now, and I've created a quick
signature:

alert tcp any any -> any any (msg: "Test Virus Pattern"; content:
"represented in 7-bit ASCII"; nocase; sid:1000569;)

The contents of the message, atleast from what we have gathered is this:

The subject is: Hi

The body, at least once it comes into our exchange server is:

represented in 7-bit ASCII

The attachments are stored inside an .zip file, but are either .scr, .pif,
.exe etc. etc.

What we've discovered thus far:

* The worm also has its own SMTP engine, and therefore any infected
machine started mass mailing to the internet.

* We've been on the phone with Symantec and Trend, and they are currently
investigating and creating new signatures.

* Some of the attachments come in as status.zip.

* Thought I'd pass this along incase anyone else is stumped.

-Sam





More information about the Snort-users mailing list