I-Worm.Mimail info?

[David W. Hodgins]

I haven't seen this one before.

Attached file message.zip removed from posting.

The attached zip file containes message.html.

It contains a upx compressed copy of what
kaspersky's online scanner calls I-Worm.Mimail
I haven't found any additional info on this one
yet. Anyone else seen it yet?

F-prot (dos) and Avg, with current definitions
do not flag the file, even if stripped down to
just the executable, and uncompressed.

Regards, Dave Hodgins

------- Forwarded message -------
Return-Path: <[email protected]>
Received: from localhost ([170.252.3.3])
by fep01-mail.bloor.is.net.cable.rogers.com
(InterMail vM.5.01.05.12 201-253-122-126-112-20020820) with SMTP
id <20030801184057.LGAL268656.fep01-mail.bloor.is.net.cable.rogers.com@localhost>
for <[email protected]>; Fri, 1 Aug 2003 14:40:57 -0400
From: (e-mail address removed)
To: Dhodgin1661 <[email protected]>
Reply-To: (e-mail address removed)
X-Mailer: The Bat! (v1.61)
X-Priority: 2 (High)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------13242FBA09D51DF"
Message-Id: <20030801184057.LGAL268656.fep01-mail.bloor.is.net.cable.rogers.com@localhost>
Date: Fri, 1 Aug 2003 14:41:14 -0400
X-Spam-Status: Yes, hits=7.8 required=5.0
tests=FORGED_MUA_THEBAT,NO_REAL_NAME,SUBJ_HAS_SPACES,
SUBJ_HAS_UNIQ_ID
version=2.55
X-Spam-Level: *******
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
X-Spam-Report: This mail is probably spam. The original message has been attached
along with this report, so you can recognize or block similar unwanted
mail in future. See http://spamassassin.org/tag/ for more details.
Content preview: Hello there,
I would like to inform you about important information regarding your email address. This email address will be expiring. Please read attachment for details. --- Best regards,
Administrator uspueiee [...] Content analysis details: (7.80 points, 5 required)
NO_REAL_NAME (1.0 points) From: does not include a real name
SUBJ_HAS_SPACES (1.4 points) Subject contains lots of white space
SUBJ_HAS_UNIQ_ID (1.1 points) Subject contains a unique ID
FORGED_MUA_THEBAT (4.3 points) Forged mail pretending to be from The Bat!
X-Spam-Flag: YES
Subject: *****SPAM***** your account uspueiee

------------13242FBA09D51DF
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit


Hello there,

I would like to inform you about important information regarding your
email address. This email address will be expiring.
Please read attachment for details.

---
Best regards, Administrator
uspueiee

------------13242FBA09D51DF
Content-Type: application/x-zip-compressed; name="message.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="message.zip"

 

[Me]

This is going around like crazy this morning. MacAfee has the most info on
it.

I haven't seen this one before.

Attached file message.zip removed from posting.

The attached zip file containes message.html.

It contains a upx compressed copy of what
kaspersky's online scanner calls I-Worm.Mimail
I haven't found any additional info on this one
yet. Anyone else seen it yet?

F-prot (dos) and Avg, with current definitions
do not flag the file, even if stripped down to
just the executable, and uncompressed.

Regards, Dave Hodgins

------- Forwarded message -------
Return-Path: <[email protected]>
Received: from localhost ([170.252.3.3])
by fep01-mail.bloor.is.net.cable.rogers.com
(InterMail vM.5.01.05.12 201-253-122-126-112-20020820) with SMTP
id <20030801184057.LGAL268656.fep01-mail.bloor.is.net.cable.rogers.com@localhos
t>
for <[email protected]>; Fri, 1 Aug 2003 14:40:57 -0400
From: (e-mail address removed)
To: Dhodgin1661 <[email protected]>
Reply-To: (e-mail address removed)
X-Mailer: The Bat! (v1.61)
X-Priority: 2 (High)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------13242FBA09D51DF"
Message-Id: <20030801184057.LGAL268656.fep01-mail.bloor.is.net.cable.rogers.com@localhos
t>
Date: Fri, 1 Aug 2003 14:41:14 -0400
X-Spam-Status: Yes, hits=7.8 required=5.0
tests=FORGED_MUA_THEBAT,NO_REAL_NAME,SUBJ_HAS_SPACES,
SUBJ_HAS_UNIQ_ID
version=2.55
X-Spam-Level: *******
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
X-Spam-Report: This mail is probably spam. The original message has been attached
along with this report, so you can recognize or block similar unwanted
mail in future. See http://spamassassin.org/tag/ for more details.
Content preview: Hello there,
I would like to inform you about important information regarding your

email address. This email address will be expiring. Please read attachment
for details. --- Best regards,

Administrator uspueiee [...] Content analysis details: (7.80 points, 5 required)
NO_REAL_NAME (1.0 points) From: does not include a real name
SUBJ_HAS_SPACES (1.4 points) Subject contains lots of white space
SUBJ_HAS_UNIQ_ID (1.1 points) Subject contains a unique ID
FORGED_MUA_THEBAT (4.3 points) Forged mail pretending to be from The Bat!
X-Spam-Flag: YES
Subject: *****SPAM***** your account uspueiee

------------13242FBA09D51DF
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit


Hello there,

I would like to inform you about important information regarding your
email address. This email address will be expiring.
Please read attachment for details.

---
Best regards, Administrator
uspueiee

------------13242FBA09D51DF
Content-Type: application/x-zip-compressed; name="message.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="message.zip"

 

[Michael Cecil]

I haven't seen this one before.

Attached file message.zip removed from posting.

The attached zip file containes message.html.

It contains a upx compressed copy of what
kaspersky's online scanner calls I-Worm.Mimail
I haven't found any additional info on this one
yet. Anyone else seen it yet?

F-prot (dos) and Avg, with current definitions
do not flag the file, even if stripped down to
just the executable, and uncompressed.

Regards, Dave Hodgins

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

 

[David H. Lipman]

And... with ENGINE v4160 and min. DAT v4192 there is generic coverage !
There is an EXTRA.DAT that was posted and DAT release v4282 was posted to cover the infector
with the name W32/mimail@mm

Dave

 

[David W. Hodgins]

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

Thanks for the link.

Regards, Dave Hodgins

 

[totojepast]

There is a chart available at
http://www.viry.cz/go.php
showing when were the antivirus databases updated - Kaspersky, F-Prot
and Trend Micro seem to be the fastest upgraded antiviruses.

However, was any antivirus able to detect Mimail by a heuristic
analysis or as an HTML exploit?

 

[Mal]

There is a chart available at
http://www.viry.cz/go.php
showing when were the antivirus databases updated - Kaspersky, F-Prot
and Trend Micro seem to be the fastest upgraded antiviruses.

However, was any antivirus able to detect Mimail by a heuristic
analysis or as an HTML exploit?

McAfee claim that they might be able to:
http://vil.nai.com/vil/content/v_100523.htm
"The 4192 DAT files (or higher) and 4.1.60+ scan engine will detect this
threat in some environments. The detected name is Exploit-Codebase."

 

[Igor]

There is a chart available at
http://www.viry.cz/go.php
showing when were the antivirus databases updated - Kaspersky, F-Prot
and Trend Micro seem to be the fastest upgraded antiviruses.

However, was any antivirus able to detect Mimail by a heuristic
analysis or as an HTML exploit?

This is what confuses the Hell out of me -- this very virus/worm/whatever
has the term "malware" in it. I looked. Is there any non-malicious
application that has "malware" in it? Not that the authors will always do
this, but in every malware I have received and stopped before the
definitions were issued, "malware" is used inside. Why isn't that term
used by the heuristics engine?

Or, what about a html doc that has commands in it to launch an exe file?
What is the benefit of not flagging that as suspicious?

 

[Nick FitzGerald]

This is what confuses the Hell out of me -- this very virus/worm/whatever
has the term "malware" in it. ...

Yes, because the PoC MHTML file illustrating the codebase exploit works in the
"My Computer" security zone that the virus writer took for the basis of the
HTML trick used in this virus is from malware.com and, surprise, surprise, the
virus writer was too lame or too lazy to change it...

... I looked. Is there any non-malicious
application that has "malware" in it? ...

This Email?

OK, well maybe not this precise one because you and I have the good taste to
not post HTML-format News, but if you had posted an HTML format message then
your message could easily be argued to be an "application". Because of all the
security flaws in what is laughably the world's most popular HTML rendering
engine, any HTML has to be considered potentially "programmatic".

... Not that the authors will always do
this, but in every malware I have received and stopped before the
definitions were issued, "malware" is used inside. Why isn't that term
used by the heuristics engine?

Fortunately, the anti-malware heuristics folk have a bit more experience than
you and they realize that the really pertinent question is not "has feature X
ever appeared in malware" or even "has feature X appeared in quite a bit of
malware" but more one of "what is the resolving power of feature X to
distinguish between malware and non-malware".

And, of course, I am ignoring the fact that in desktop-deployed systems, the
simple existence (or otherwise) of a short text string would probably always
have to be considered a completely worthless heuristic.

Or, what about a html doc that has commands in it to launch an exe file?
What is the benefit of not flagging that as suspicious?

Well, you see, believe it or not, there is a whole class of files -- designed
by Microsoft, of course -- where precisely what you just described is part of
the raison detre of the file type. Worse still is that MS has sold this as a
"good idea" to some obviously security-ignorant large customers and now claims
that it "cannot" remove support for this "feature" because it has major clients
that have developed system administration processes in very large Windows LANs
based on just this functionality (what's the bet that they are referring to MSN
and Hotmail??). I suggest that you Google the phrase "HTML Application"...

 

[Nick FitzGerald]

However, was any antivirus able to detect Mimail by a heuristic
analysis or as an HTML exploit?

NAI/McAfee at least (perhaps KAV too?) detected the "My Computer" codebase
exploit in the HTML extarcted from the mass-mailed ZIP independent of
knowing what the .EXE that was being extracted was or did.

So, the answer is, yes.

Some other products may also have had such detection, based on the presence
of the (apparent) exploit code (in fact, given that the exploit is basically
exactly that from the first published PoC of the exploitability of this IE
vulnerability, any scanner that id "serious" about extending its repetoire
to include exploit detection dhould have caught this...).

 

[FromTheRafters]

He's right, it definitely has the word "malware" in it - it's used as the
name of a Javascript function.

I am not doubting that the term is there (I've read a description
of the exploit). My comment above referred to the possible use
of that term in any of a large number of "non-malicious" applications
that I haven't bothered looking into.