Bounced emails with viral attachments

Published: 2003-12-18
Last Updated: 2003-12-19 03:41:18 UTC
by Mike Poor (Version: 1)
0 comment(s)
Users have been reporting a rise in bounced email messages with virus attachments. This may indicate a rise in machines infected with a MiMail.* style worm.

I should stress the importance of properly configuring your Anti-Virus Gateway to strip attachments on bounced mail messages.

Your users should be informed (yet again :-) not to click on an attachment in a bounced email message, especially if they did not send it out to begin with.

A couple of messages that were reported matched the file names associated with Mimail.E. For more on Mimail, see the references below:

http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.e@mm.html
http://www.sophos.com/virusinfo/analyses/w32mimaile.html

We have also noticed an upswing in both 53/UDP (possibly a gradual increase in Sinit/Calpso traffic) as well as 2234/TCP (Directplay). Are all the gamers fragging tonight, or is something else lurking?

Port 53/UDP traffic:
http://isc.sans.org/port_details.html?port=53

Port 2234/TCP traffic:
http://isc.sans.org/port_details.html?port=2234

For more on Sinit/Calypso, see the recent Handlers diary: http://isc.sans.org/diary.html?date=2003-12-16

---------

Handler on Duty: Mike Poor http://www.digitalguardian.net
Keywords:
0 comment(s)

Comments


Diary Archives