Article

Mimail worm spreading; likely not an RPC exploit

Edward Hurley, SearchSecurity.com News Writer

A new mass-mailing worm sprouted Friday that uses crafty social engineering to entice recipients into opening it.

Dubbed Mimail-A, the worm arrives as an attachment to an e-mail purporting to be from an enterprise's e-mail administrator. Both Trend Micro and McAfee Security have it listed as a medium threat risk. There were initial reports that the worm exploited the RPC-DCOM vulnerability but that doesn't appear to be the case, said Vincent Gullotto, vice president of McAfee AVERT (antivirus emergency response team).

"We aren't seeing any buffer overflows" which is what the RPC flaw is, Gullotto said, noting they are still researching the worm.

There have also been reports from other antivirus companies that the worm exploits an Internet Explorer vulnerability, but nothing is confirmed. Most experts do agree that the worm doesn't have a destructive payload.

The worm seems to have gained some traction because of its ability to look like it came from the system administrator. For example, someone with a searchsecurity.com e-mail domain would get a message from "admin@searchsecurity.com."

"We have both a global alert and one in the United States out on this one," said David Perry, Trend Micro Inc.'s global director of education. "But this is not played out. We hope to circumvent a major outbreak."

In fact, the worm may contain the seeds of its own destruction. Each time it spreads, it increases in size by 536 bytes. Over

    Requires Free Membership to View

time, this growth will choke its progress, Perry said. "We saw a similar situation with FunLove five years ago," he said.

However, the worm's growth also allowed it to sneak by antivirus scanners - at least initially.

Here is what the message looks like:

Subject: your account

Body: Hello there, I would like to inform you about important information regarding your email address. This email address will be expiring. Please read attachment for details.

Best regards,

Administrator

The worm travels as a .Zip file named "message.htm" but is in fact a UPX-compressed Win32 executable file. When run, it creates the file "videodrv.exe" in the Windows directory.

Mimail-A searches infected systems for e-mail addresses to harvest, a trick used by many recently successful worms such as Sobig-C and Palyh. It then sends copies of itself to those addresses using its own SMTP (Simple Mail Transfer Protocol) engine.

Gullotto said Mimail-A was probably seeded to a list of e-mail addresses, which caused the initial blip on the antivirus companies' radar screens. "But users definitely are double-clicking on the attachment," he said.

He doesn't think the Mimail-A will have the staying power of Yaha or Klez, which have continuing spreading months after being released. "It will likely make a splash for a few hours then go away," he said.

FOR MORE INFORMATION:

Microsoft security bulletin MS03-026

Featured Topic: Critical Windows flaw

SearchSecurity.com news exclusive: "CERT warns RPC being exploited in wild"


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: