I started receiving a few emails yesterday from people I didn't even know with attachments. I just delete them. This morning I had some bounced back to me saying I had sent them with that attachment. I think its just changing the name of who sent them and sending from someone else's box actually as the address it used as my sending address is a old email address I have not used since comcast bought out att and my email changed six months ago. It still gets forwarded to me but thats not my current email address anywhere inmy system so the virus has infected someone else and is sending stuff as if its from intheir system it appears.

So watch out guys as its coming your way.

tex

Tex,

Have a look over here http://www.short-media.com/forum/showthread.php?t=9187

Seems alot of people are getting the same thing.

Yep the thing is a beast :p, messagelabs users alone have confirmed over 575,000 copies sent to them in the last 24 hours.

Yeah, mimail through mimail.q now spoofs email and harvests email addresses. Here's a bit about mimail.q:

From a Kaspersky Labs Virus Alert
Mimail.q spreads via email in messages with varying content (there are
about 30 variations) with random attachment names. The worm consists of
two components: the dropper (the module which installs the core) and the
carrier (the core).

If a user is thoughtless enough to launch the file attached to the
infected email, the dropper proceeds to open a window with a fake error
message. The dropper copies itself into the Windows registry under the
name sys32.exe and registers itself in the system registry auto run key.
Finally, the dropper unpacks the main component, a file named
outlook.exe and launches it in order to execute it.

The most important modification in Mimail.q are the polymorphic
encryption keys inbuilt to fool anti-virus programs. Every time the
infected machine is restarted Mimail.q changes the encryption key so
that the copies of itself that Mimail sends look different every time.
This means that anti-virus programs must have a decryption routine in
order to contend with Mimail.q successfully.

The main component of the worm performs several functions at once.
Firstly, it sends copies of Mimail.q by scanning the contents of disks
and extracting email addresses. Infected messages are then sent to these
addresses by using the inbuilt mailing mechanism.

Secondly, the main component opens the infected computer to the creator
of the worm using ports 80, 1433, 1434, 3000, and 6667. The worm
receives commands via these ports and sends information about the
execution of these commands to a variety of public email system
addresses.

Thirdly, Mimail.q gathers information about PayPal and E-Gold accounts
on the computer in exactly the same way as previous versions of Mimail
do, and sends the information needed to access these accounts to the
addresses mentioned above.

A fuller description about this malicious program can be found in the
Kaspersky Virus Encyclopedia
(http://www.viruslist.com/eng/alert.html?id=836443).

This thing is hitting in Europe, Eastern Europe, Russia and the far east first. It spreads VERY fast. I got a writeup from Kaspersky Labs yesterday. But, what you got is not necessarily this virus, though given the spread of the other spoofers of mimail kind this is likely to be one that will not be disinfected easily and is likely to spread like widfire. Link has what is common for this virus, to recognize it in email. BTW, Kaspersky Labs LIKES many free subscribers to their AV Alert list (subscribe box on same page as link in quote), and the core heuristics used are in part licensed from F-Protect, who makes what is also called F-Prot.

John.

What is wrong with these people? If anybody reads this who has anything to do with writing viruses then this is to you. You are a moron, Stop it. Get a life.

I was wonderinghow it was using my old email address. Asked Robin and she said "Oh No" she got one at work yesterday and they still use groupware some nasty Novell **** on a huge corporate network and she had got one at work at it defaults to my old home email somehow so she infected her workplace I bet when she opened it. She didn't read the attachment she said but the screen filled with "gobblety goop". Don't you love that detailed technical explanation and she's a Oracle DBA and has worked with PC's for 13 years now. (long sigh.....) at her work they do not keep the 1500 PC's all patched with OS patchs to protect against the java script bugs and crap so if it makes thru their virus checker all the PC's are just f*cked.

They should have a fun up their today with 1500 PC's on their network.

Tex

I have been getting 5-8 a day on my mediaman@short-media.com addy and they are getting clever in the subject lines. My personal email hasn't been hit yet nor my work email. But it will soon.

Though as I said before, why am I the only one who has been getting these for the last 4 or 5 months? (2-20 a day).

heh...I haven't seen any to either my school or hotmail acct.

Though as I said before, why am I the only one who has been getting these for the last 4 or 5 months? (2-20 a day).

SAME virus, or myphoto.zip attachments??? Several viruses now use that kind of attachment naming, and that photos theme. First mimail hit in June of 2003 that was fairly major(mimail.c)-- mimail.q (which went from NADA three days ago to a class two this AM very early at Symantec) is being compared with Novarg as both similar in some ways now, adn enough is becomning apparent that a lot of security folks, me included, think there is a viral authoring group sharing ideas at least if not actively co-operating. They are coming too common and in too many bunches to be otherwise unless they are copying each other. Look up mimail.c, mimail.j, and mimail.q on http://www.viruslist.com/ or Symantec's Security Response area and you will see we have RELATED viruses being developed to be more and more complex. This happened to a degree with Sober also. You are getting related viruses, I THINK, not identical ones

If you want some interesting (heavy) reading, look up keyword Dumaru at above URL and also MyDoom. We end users are getting attacked by viral group attacks, and timings look coordinated.

Note, anyone with Retail non-Enterprise NAV might want to do an Intelligent Updater pickup, BTW-- thier server is busy, expect slower than normal download. The Liveupdate (weekly, Wednesday PM EST normally) will not be out until tomorrow unless Symantec declares a priority viral def update.

ATM, I have gotten major alerts on three viruses from 4 major AV vendors in last 24 hours.

John.

The attachment of the one I just got was called - upgrade92.exe...

I just checked my email and got five from S-M. One of them was from Dexter for the thread 'has VoE gone to far?' The message said 'test'. There was no attachment but I deleted it anyway. When I check the forum the post doesn't exist, I did a virus scan and it's all clear. This looked like a regular email from S-M. Wjat do you think?

That was a normal email.

OK, but it refered to a post by Dexter that doesn't exist. I thought that was odd.

OK, but it refered to a post by Dexter that doesn't exist. I thought that was odd.

Dexter may have deleted the post.

The attachment of the one I just got was called - upgrade92.exe...

Did the text of message talk about a Microsoft upgrade??? And say it was from Microsoft??? If not, and you can, tell me the message text and the subject and the header content. I can boolean search-and-match to virus ID with those pieces of info, and there IS a virus that does EXACTLY what I asked first about with a semi-random attachment filename. It DOES activate with a click-on-attachment and is not an autoloader-on-arrival virus.

MICROSOFT DELIBERATELY does NOT use email advisories of updates.

John.

Yep (I also get ones (almost at the same time) that are faked return e-mails and such)

Yep (I also get ones (almost at the same time) that are faked return e-mails and such)

Ok, let me see what the bugger is EXACTLY, and see if Symantec pubbed a fixer\remover if it has been "upgrade" run. If not, no worries.

John.

I scanned it with Avast and it didn't pick anything up (latest version of Avast and Defs) so I can't rank that AVS as any good.

Swen.a

Fixer here:

http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.removal.tool.html

Also look up fixer for Klez.

Recommend F-Prot for AV, or Bitdefender. BOTH have desktop versions, F-Prot trial will kill your Klez and Swen also. It runs on XP and down, comes in US as 10 packs for 50 dollars a year. (singles are $29.95 each, simpler and less RAM hogging GUI than NAV, decent to very good, will need more time to play with it and ICSA test it to say it is great, but the engine is very good)

F-Prot is a coded-in-Iceland product, its heuristics are used in Kaspersky Antivirus also. Avilable in Windows desktop and Linux and Enterprise and Unix mailscan versions. In US, you can get it at http://www.raeinternet.com/

John.

Nothing as of yet for me...... Hopefully it stays that way.....

No point looking for fixes for things that I don't have. I am just saying I get sent them constantly.