Bounced emails with viral attachments
Users have been reporting a rise in bounced email messages with virus attachments.  This may indicate a rise in machines infected with a MiMail.* style worm.  
I should stress the importance of properly configuring your Anti-Virus Gateway to strip attachments on bounced mail messages.
Your users should be informed (yet again :-) not to click on an attachment in a bounced email message, especially if they did not send it out to begin with.
A couple of messages that were reported matched the file names associated with Mimail.E. For more on Mimail, see the references below:
http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.e@mm.html
http://www.sophos.com/virusinfo/analyses/w32mimaile.html
We have also noticed an upswing in both 53/UDP (possibly a gradual increase in Sinit/Calpso traffic) as well as 2234/TCP (Directplay). Are all the gamers fragging tonight, or is something else lurking?
Port 53/UDP traffic:
http://isc.sans.org/port_details.html?port=53
Port 2234/TCP traffic:
http://isc.sans.org/port_details.html?port=2234
For more on Sinit/Calypso, see the recent Handlers diary: http://isc.sans.org/diary.html?date=2003-12-16
---------
Handler on Duty: Mike Poor http://www.digitalguardian.net
I should stress the importance of properly configuring your Anti-Virus Gateway to strip attachments on bounced mail messages.
Your users should be informed (yet again :-) not to click on an attachment in a bounced email message, especially if they did not send it out to begin with.
A couple of messages that were reported matched the file names associated with Mimail.E. For more on Mimail, see the references below:
http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.e@mm.html
http://www.sophos.com/virusinfo/analyses/w32mimaile.html
We have also noticed an upswing in both 53/UDP (possibly a gradual increase in Sinit/Calpso traffic) as well as 2234/TCP (Directplay). Are all the gamers fragging tonight, or is something else lurking?
Port 53/UDP traffic:
http://isc.sans.org/port_details.html?port=53
Port 2234/TCP traffic:
http://isc.sans.org/port_details.html?port=2234
For more on Sinit/Calypso, see the recent Handlers diary: http://isc.sans.org/diary.html?date=2003-12-16
---------
Handler on Duty: Mike Poor http://www.digitalguardian.net
Keywords: 
0 comment(s)
  
  ×
  
  ![modal content]() 
  
  
Diary Archives
         
              
Comments