Mimail worm spreading; likely not an RPC exploit

Experts said the appearance of the mass-mailing Mimail worm Friday afternoon is likely not an exploit of the RPC vulnerability.

This Content Component encountered an error

A new mass-mailing worm sprouted Friday that uses crafty social engineering to entice recipients into opening it.

Dubbed Mimail-A, the worm arrives as an attachment to an e-mail purporting to be from an enterprise's e-mail administrator. Both Trend Micro and McAfee Security have it listed as a medium threat risk. There were initial reports that the worm exploited the RPC-DCOM vulnerability but that doesn't appear to be the case, said Vincent Gullotto, vice president of McAfee AVERT (antivirus emergency response team).

"We aren't seeing any buffer overflows" which is what the RPC flaw is, Gullotto said, noting they are still researching the worm.

There have also been reports from other antivirus companies that the worm exploits an Internet Explorer vulnerability, but nothing is confirmed. Most experts do agree that the worm doesn't have a destructive payload.

The worm seems to have gained some traction because of its ability to look like it came from the system administrator. For example, someone with a searchsecurity.com e-mail domain would get a message from "admin@searchsecurity.com."

"We have both a global alert and one in the United States out on this one," said David Perry, Trend Micro Inc.'s global director of education. "But this is not played out. We hope to circumvent a major outbreak."

In fact, the worm may contain the seeds of its own destruction. Each time it spreads, it increases in size by 536 bytes. Over time, this growth will choke its progress, Perry said. "We saw a similar situation with FunLove five years ago," he said.

However, the worm's growth also allowed it to sneak by antivirus scanners - at least initially.

Here is what the message looks like:

Subject: your account

Body: Hello there, I would like to inform you about important information regarding your email address. This email address will be expiring. Please read attachment for details.

Best regards,

Administrator

The worm travels as a .Zip file named "message.htm" but is in fact a UPX-compressed Win32 executable file. When run, it creates the file "videodrv.exe" in the Windows directory.

Mimail-A searches infected systems for e-mail addresses to harvest, a trick used by many recently successful worms such as Sobig-C and Palyh. It then sends copies of itself to those addresses using its own SMTP (Simple Mail Transfer Protocol) engine.

Gullotto said Mimail-A was probably seeded to a list of e-mail addresses, which caused the initial blip on the antivirus companies' radar screens. "But users definitely are double-clicking on the attachment," he said.

He doesn't think the Mimail-A will have the staying power of Yaha or Klez, which have continuing spreading months after being released. "It will likely make a splash for a few hours then go away," he said.

FOR MORE INFORMATION:

Microsoft security bulletin MS03-026

Featured Topic: Critical Windows flaw

SearchSecurity.com news exclusive: "CERT warns RPC being exploited in wild"

Dig deeper on Malware, Viruses, Trojans and Spyware

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close