lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Law10-F1245gSyZ1nwn00039f20@hotmail.com>
From: erwinp21 at hotmail.com (- -)
Subject: FWD:[threatnews] Malformed Zip Attachment Advisory

Dear Subscriber

Aliases:
W32/Mimail.c@mm, Worm_Mimail.C, W32/Mimail-C, Mimail.C

Description of Incident

The Mimail worm is today spreading in moderate numbers.  The worm is a mass
mailer, with an attached zip file (photos.zip),  which contains the
executable file photos.jpg.exe. The file cannot run without the user
extracting the executable  andrunning it. The worm fakes the sender's e-mail
address by composing it from 'james@' and the domain name of a recipient.
The worm tries to perform a DDoS (Distributed Denial of Service) attack on
the following sites:

	darkprofits.com
	darkprofits.net
	www.darkprofits.com
	www.darkprofits.net


Subject:

Re[2]: our private photos <random letters>


Attachments:

photos.zip


Message body:

Hello Dear!

Finaly i've found possibility to right u, my lovely girl
All our photos which i've made at the beach (even when u're without ur bh:))
photos are great! This evening i'll come and we'll make the best SEX

Right now enjoy the photos.

Kiss, James.


Severity:			Medium
Incidence:			Medium
Potential impact: 	Low

Avoidance Action:

We have received reports that the attachment passed through a File Detector
scenario on MAILsweeper for SMTP 4.3.10 and  earlier.

As a precaution we advise possibly affected customers to apply a Text
Analyzer scenario using the string "possibility to  right" as this constant
appears in the message and is unlikely to generate false positives.

Other customers should be fully protected by blocking executable file types.

Antivirus updates should be applied where available.


Reference Links:

If any of the links below extend over a single line in your mail client, cut
and paste the entire URL.

<http://www.sophos.com/virusinfo/analyses/w32mimailc.html>
<http://www.avp.ch/avpve/worms/email/mimailc.stm>
<http://www.symantec.com/avcenter/venc/data/w32.mimail.c@mm.html>
<http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL
.C>
<http://vil.nai.com/vil/content/v_100795.htm>
<http://www.f-secure.com/v-descs/bics.shtml>

Pete Simpson
ThreatLab Manager
------------------------------------------------------------------------------------------------------------------------------------------------
Dear Subscriber,

Over the weekend variants D, E, F, G and H of the W32/Mimail mass mailing
worm were identiifed in the wild, but did not generally spread in
significant numbers. These variants are of particular interest to
MAILsweeper for SMTP users due to malformation of the zip file attachments.

We have seen samples of the zip files (all called readnow.zip and containing
readnow.doc.scr) that are deliberately malformed and may be classified as
binary by MAILsweeper.

We advise any customers who are not already doing so to block the
attachments with a File Detector scenario, using the explicit masks
"photos.zip" and "readnow.zip".

Work is under way to provide a patch to enable correct decomposition of
similarly malformed zip files and customers will be advised of availability
in due course.

Pete Simpson
ThreatLab Manager
------------------------------------------------------------------------------------------------------------------------------------------------

_________________________________________________________________
Crave some Miles Davis or Grateful Dead?  Your old favorites are always 
playing on MSN Radio Plus. Trial month free! 
http://join.msn.com/?page=offers/premiumradio


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ