New Email Worm

CERT / IBM / Trend Micro / MS ^

[boxerblues]

unbelievable! the email that is going around looks nothing like something that should be coming in corporate mail doh!

[mr.pink]

I'll add a rule #2....be strict in making friends and acquaintences to remove you from silly "joke of the day" type mailing lists.

[boxerblues]

we just get a screen shot of the offending message and it sez DO NOT OPEN THIS!

[dead]

My company is shutting down a number of applications this weekend that are especially vulnerable (those that incorporate NetBIOS or RPC, whatever they are.)

They almost never do something like that.

[boxerblues]

Not a techie, but I wonder if this has anything to do with gov't warning about the internet attacks they were talking about earlier this week.

[dnandell]

that means they will be shutting down all Windows machines if that's the case.

[Capt. Tom]

Anyone that opens an email attachment with that kind of text deserves what they get

Many people are not computer savvy and are vulnerable to these things. Especially if your virus scan does not flag it.

A few months ago I got sent the Ganda virus and Norton let it through. I was suspicious and deleted it without reading it. A few days later it came back and was flagged as a virus by Norton. If you are the first in your neighborhood to get a new virus you may not have an updated virus scan that can detect it. - tom

[8mmMauser]

Be just a bit careful even about email names you know. I recently received an email from a friend and I recognized the subject and it looked perfectly ok. But, the address didn't look quite right. After the @ the location was different from usual. Still, it was passable. But my anti-virus caught it and I discovered it was a variety that spoofs.

At first I accused our friend.

It invaded an organization to which our friend once sent the same email subject. It stole her email name and attached it to the email tail of the organization, and stole her subject line as well. Then, it sent out to all the addys attached to the original. When I queried our friend, she was shocked, surprised, never got hit at all, but almost got the blame.

[dfrussell]

Yehp. It's using the defect indicated by the link to spread. The defect is old, the worm is new.

[Junior]

We've gotten about a hundred hits on this one at work today.

[MarkL]

#1 rule if you dont know who sent it, the delete is your best friend. If you see a lot of messages from your "friends" with the same subject all of a sudden chances are it is a virus. Better safe than sorry

Actually, if you're using "LookOut," RULE #1 should be to turn off the "Preview Pane." Many malicious code virus and worm infections can occur by simply opening the email, and if the preview pane is open, just clicking on the message will infect your computer before you can delete the message!

To turn off the preview Pane, go to View -> Layout, and then disable the preview pane (I don't have it on this computer, so I'm doing this from memory).

Mark

[Ernest_at_the_Beach]

I depend on Norton to catch these!

OFFICIAL BUMP(TOPIC)LIST

[dfrussell]

Spoofing the return is pretty much the SOP, these days.

IE seems to have been particularly prone. I generally use a linux/unix base and have three different, consecutive virus filters and six different, consecutive spam filters (open proxy / relay / europe / etc).

Our inbound relays are refusing one of these every second or two now... this one has a static subject line so it's easy to refuse before it even gets to the virus filters.

No point in wasting cycles on stuff like this.

[Billthedrill]

Yeh, there goes the afternoon. Five minutes to deploy the latest virus siggies, four hours to change management diapers...

[MizSterious]

I think I got three of these this afternoon, but Norton never had a chance--I deleted them from the server via mailwasher. I figured they were either something like this, or just dumb spam. Either way, I didn't want them.

[killerw]

Been there, done that, and got the T-Shirt!

[Dog Gone]

New e-mail worm spinning across the Internet

By DWIGHT SILVERMAN
Copyright 2003 Houston Chronicle

A new e-mail worm that takes advantage of a flaw in Internet Explorer 6 and appears to come from a recipient's computer system administator is racing across the Internet today.

Mimail.A includes the words "Your Account" in the subject line and comes with an attachment named MESSAGE.ZIP. Symantec Corp., which makes Norton Antivirus software, has pegged Mimail's threat level at 3 out of a possible 4.

Vincent Weafer, senior director for Symantec Security Response, said the worm does not appear to be destructive, but it is spreading rapidly across the Internet, and may be bogging down e-mail servers.

He said the appearance of the worm caught many companies and individuals by surprise.

"I suspect that, after the weekend, it will die down as companies update their firewalls and consumers download new antivirus definitions," he said.

The worm tricks users into opening the attachment because it appears to come from someone who works on the computer network within the receiver's domain. For example, users who are on America Online may see the worm with a From: adddress of admin@aol.com.

The U.S. Department of Homeland Security earlier this week warned of a threat to the Internet from hackers and virus writers taking advantage of a recently found flaw in Microsoft's Windows operating systems. Weafer said Mimail does not appear to be related, taking advantage of a different flaw.

More information is available at Symantec's Web site.

[lainie]

Ahhh.

Centcom's finally caught up.

http://biz.yahoo.com/prnews/030801/clf025_1.html

Good catch, df :-)

[Michael Barnes]

Right on!

Love your tagline..that's funny

[Billthedrill]

HOW WE TELL PEOPLE IT WORKS:

Administrative support people meet with management. Latest patch discussed, server schedule made and heroic SAs volunteer to spend their evening away from home and family defending the firm against the killer virus.

HOW IT REALLY WORKS:

1. Patches integrated into regular support schedule that was going to run this evening anyhow.
2. SA 1 whose husband works at Microsoft calls him and says "if your company didn't write such s*$&%&y code I wouldn't have to stay late tonight. YOU're doing the housework, buddy!" (I am not making this up).
3. SA 2 (your hero BtD) volunteers to stay this evening to reboot such servers as a trembling management dares to do (we're "testing") - sniffling over an evening lost and hiding his baseball game tickets behind his back...
4. Management goes home satisfied that the job is in the hands of professionals. SA 1 goes out for a drink with the girls. SA 2 (me) patches the boxes. Will reboot at 5:00. Will be in beer garden by 5:30. First pitch at 7:05...