The following is a copy of an email I just sent to all my users:-

Kim xxxxxxx at xxxxxxx just did a wonderful thing. She received an email that didn’t look right with an attachment and called me about it. I had her forward it to me which she did. I updated my virus definitions and immediately scanned the Zip file she had received. No virus found. I unzipped the file called photos.jpg.exe and scanned it. No virus found. So I opened the file using one of my “little tools” to see what it was. It is clearly a virus that mails itself out, contacts a web site and who knows what else. I have submitted it to Symantec for their analysis.

The test of the message to Kim read as follows, (but if you get one it may not be the same):-

BEGIN TEXT
+++++++++++++++++++++++++++++++++++++++

Hello Dear!,

Finally i've found possibility to right u, my lovely girl :) All our photos which i've made at the beach (even when u're without ur bh:)) photos are great! This evening i'll come and we'll make the best SEX :)

Right now enjoy the photos.
Kiss, James.
iioiemve

++++++++++++++++++++++++++++++++++++++++
END TEXT

The attachment was a zip file called photos.zip
It contained a file called photos.jpg.exe (notice the two file extensions)


The incredibly sophisticated tool I used was notepad..... But I don't want the users messing with it......

when you said sofisticated tool at the begining i was thinking of Cool Edit :(
Shame on me for having those thoughts

LOL!!!

The 31337 notepad tool huh?

Seriously though, I haven't seen this attachment on our "removed" list but I will certainly keep and eye out. If anyone else comes across this, please post to this thread.

Good catch Sharky! I hope you don't catch grenades as well ;)

--TH13

It is a variant of MIMAIL:

http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.c@mm.html

/nebulus

Ok.... Symantec has replied.

We have analyzed your submission. The following is a report of our findings for each file you have submitted:

filename: C:\photos.jpg.exe
machine:
result: This file is infected with W32.Mimail.C@mm

Developer notes:
C:\photos.jpg.exe is non-repairable threat. NAV with the latest beta definition detects this. Please delete this file and replace it if neccessary. Please follow the instruction at the end of this email message to install the latest beta definitions.

Note the important bit..... "latest beta definition" ....... Guess I'm not using those..... :eek:



Neb: Funny.... I went to Symantec security response and searched for the zip, the actual file, the email title and several peices of text from the email before I submitted it to them....... I must have been minutes too early....... :mad:

WOW we need t ohave beta definitions now.....this is why my mail server strips off all .exe attachments.

Hi Tiger!

Happy Halloween!

Any chance you could send me one? The previous addy would be fine,) otherwise PM me and I will remind you of it.

I had that relationship at one of the last places I worked, I just got strange stuff forwarded........the Users were very good (and the contract was for over 3 years), they sent all sorts of suspicious stuff. Being a mil type establishment we did not get much spam, but I had a long battle to get our Infrastructure guys to be security minded :(

My actual role was systems project management, but I soon got to know the guys......great relationship...............OK I did cover for the infrastructure team when needed............they did the same for me and my guys :)


Take care, and don't forget a copy of that virus! I need to get back up to speed, because I don't seem to be capturing as many as I used to? :D

Cheers

Johnno

BBallad: Yeah.... My firewall does that too..... Trouble is this was in a zip file and I have to let those through 'cos we use them though I do try to restrict the number of users that have winzip installed so they can't open them.... 'cos they'll still go ahead an click on the results.... :rolleyes: But I guess we got through to one user. She did the right thing.....

Due to an increased rate of submissions Symantec Security Response has upgraded W32.Mimail.C@mm to a Category 3 threat from a Category 2 threat.

Thanks for the for the warning TS..

Cheers

thanks for the heads up