Mimail-A peaks; Klez's staying power 'unparalleled'

Article

Mimail-A peaks; Klez's staying power 'unparalleled'

Edward Hurley, SearchSecurity.com News Writer

The Mimail-A worm, which pretends to be a message from an enterprise e-mail administrator, appears to have peaked.

U.K.-based e-mail filtering outsourcer MessageLabs said it captured 30,000 copies of Mimail at its height on Monday. On Tuesday, the firm said it had trapped 26,000.

Mimail does not exploit the Windows RPC-DCOM vulnerability, as some have feared. It does target vulnerabilities in Internet Explorer and Microsoft Outlook Express known as the Object Tag code base exploit and MHTML exploit.

Attackers exploiting those flaws can run code of their choice on vulnerable machines. The following versions are vulnerable: Microsoft Outlook Express 5.5, Microsoft Outlook Express 6.0, Microsoft Internet Explorer 5.01, Microsoft Internet Explorer 5.5, and Microsoft Internet Explorer 6.0.

Mimail-A began spreading on the Internet on Friday. The worm gained some traction because of its social engineering, which makes it appear to come from the user's e-mail administrator. For example, someone with a SearchSecurity.com e-mail address would get a message from "admin@searchsecurity.com."

While July was a busy month for Microsoft vulnerabilities, it was a fairly slow month for viruses and worms. Few new creepy crawlies made any real traction, but some old ones were still going strong.

In July, variants of Klez, Sobig and Bugbear topped the lists of prolific malicious code from the antivirus software vendors. "What we have seen with

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Worm/Klez.E is unparalleled to any past Internet worm, as it continues to show extraordinary staying power," said Steven Sundermeier, product manager of Central Command Inc., noting that the worm topped 12 out of the last 15 monthly lists.

The only worms that made some minor waves were variants of the Gruel worm, a mass mailer that used a variety of social engineering. For instance, some e-mail messages purported to be a patch from Microsoft for a security vulnerability.

Here are a sampling of lists from antivirus software vendors.

Central Command's top 12 list of the most prevalent malware for July:
Worm/Klez.E 19.2%
Worm/Sobig.E 17.9%
Worm/BugBear.B 17.6%
Worm/Sobig.A 6.6%
Worm/Sobig.C 4.2%
Worm/Sircam.A 2.9%
Worm/Ganda 1.8%
Worm/Hawawi.E 1.6%
W32/Funlove.4099 1.5%
Worm/Avril.A 1.2%
W32/Yaha.E 1.2%
W32/Nimda 1.0%
Others 23.3%

Panda Software top 10 most detected malware for July:
W32/Bugbear.B 8.56%
W32/Mapson 7.36%
Trj/PSW.Bugbear.B 5.08%
JS/Fortnight.E 4.81%
JS/Fortnight.D 4.02%
W32/Klez.I 3.86%
W32/Parite.B 3.07%
W32/Bugbear.B.Dam 2.31%
W32/Bugbear 2.16%
W32/Enerkaz 2.14%

Sophos' top 10 list for the month:
W32/Sobig-E 47.8%
W32/Bugbear-B 11.0%
W32/Klez-H 5.9%
W32/Sobig-A 2.7%
W32/Parite-B 0.9%
W32/Sobig-B 0.9%
W32/Ganda-A 0.8%
W32/Opaserv-G 0.7%
W32/Sobig-D 0.7%
W95/Dupator 0.7%
Others: 27.9%