A new variant of the Mimail worm emerged today. While it appears not to be particularly destructive, it does seem to have gained some traction.
Both Trend Micro Inc. and Network Associates' Antivirus Emergency Response Team (AVERT) have assigned Mimail-C a medium alert rating because of its prevalence. Symantec Security Response has upgraded its assessment of Mimail-C, now calling it a Category 3 threat, as has F-Secure Corp. AVERT first started tracking the worm at 11 a.m. GMT, and it has progressed steadily through 2 p.m. GMT.
"We have had calls from our customers who blocked a couple thousand copies of it at their gateways," said Vincent Gullotto, vice president of AVERT.
Mimail-C is mass-mailing worm. Like previous versions, it travels as a .zip file attached to a message. When run, it scans the infected system for e-mail addresses to harvest. It then uses its own SMTP (Simple Mail Transfer Protocol) engine to send copies of itself. It can infect Windows 95, 98, ME, NT, 2000 and XP machines.
The worm also arrives using the domain name of the recipient with the user name "James." So, for example, if the message was sent to someone with the searchsecurity.com domain name, the message would appear to come from "email@example.com".
The worm does have a new trick. Namely, it tries to send code to a Web site, perhaps as part of a denial-of-service attack, Gullotto said. This could hurt companies hit hard by Mimail-C, because outbound traffic could slow down internal networks.
Experts said the worm's traction is surprising because its social engineering isn't very good. It does imply the .zip file contains pictures, but unlike recent worms that use varying subject lines and message text combinations, Mimail-C uses the same text over and over:
Subject: Re: our private photosMessage Body:
Finally, i've found possibility to right u, my lovely girl :)
All our photos which i've made at the beach (even when u're withou ur bh:))
photos are great! This evening i'll come and we'll make the best SEX :)
Right now enjoy the photos.
Attachment: photos.zip which contains photos.jpg.exe
In theory, sending a worm as a .zip file shouldn't work well because another application is needed to open it, Gullotto said. In other words, "It's not just a matter of double-clicking on an attachment," he said.
Worm writers have preferred sending their creations with file extensions such as .scr, .exe. or .pif. Many enterprises strip these files at the gateway, but blocking .zip files wouldn't be as easy. Gullotto recommends companies set a policy that .zip files only be sent password protected. If a .zip file arrives, it shouldn't be opened unless it requires a password, he said.