Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Bounced emails with viral attachments SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Bounced emails with viral attachments
Users have been reporting a rise in bounced email messages with virus attachments. This may indicate a rise in machines infected with a MiMail.* style worm.

I should stress the importance of properly configuring your Anti-Virus Gateway to strip attachments on bounced mail messages.

Your users should be informed (yet again :-) not to click on an attachment in a bounced email message, especially if they did not send it out to begin with.

A couple of messages that were reported matched the file names associated with Mimail.E. For more on Mimail, see the references below:

We have also noticed an upswing in both 53/UDP (possibly a gradual increase in Sinit/Calpso traffic) as well as 2234/TCP (Directplay). Are all the gamers fragging tonight, or is something else lurking?

Port 53/UDP traffic:

Port 2234/TCP traffic:

For more on Sinit/Calypso, see the recent Handlers diary:


Handler on Duty: Mike Poor

49 Posts
Dec 19th 2003

Sign Up for Free or Log In to start participating in the conversation!