Four variants of the Mimail worm have been reported since Friday, each traveling the Internet packed in a .zip file and each with its sights set on taking down antispam Web sites.
Mimail-C, which first appeared on Friday, has enjoyed high distribution, but its damage potential is low, experts say. Other variants have appeared since Friday with modified subject lines and message text, techniques that the author has used in an attempt to elude antivirus scanners, one expert said.
The variants, Mimail-D, -F and -H, have the common denominator of being packed in a .zip file, a file type not normally blocked at the gateway by e-mail and network administrators. Once a user opens the .zip and the infected file, the worm searches the system for e-mail addresses and mails itself using its self-contained SMTP engine. Mimail can infect Windows 2000, NT, XP, 98, ME and 95 systems.
It also attempts to launch a denial-of-service attack on spam blacklist sites like mysupersales.com, spamhuas.org and spews.org, among others.
Administrators who may have filtered for Mimail-C on Friday using its static subject lines and message body need to be aware that that text has changed with the variants. The author has also apparently corrupted a header in the .zip file in order to confuse antivirus scanners.
"This Zip is corrupted, and I believe the author has done this on purpose," said Mikko Hypponen, manager of antivirus research for Helsinki, Finland-based F-Secure Corp. "One byte in a header has been corrupted, and I think this has been done so that antivirus scanners cannot unpack the Zip successfully and examine its contents. It can, however, still be unpacked by the user."
Hypponen said early this morning that he had not heard from any antivirus vendors about their tools' having problems unpacking a Mimail-infected .zip to confirm his theory.
The Mimail variants arrive with a 30-space subject line containing random messages like "don't be late," "our private photos," and others. The text contains a suggestive message between paramours promising romantic pictures taken at the beach. The sender is either Joe or James, and the message will likely be spoofed to appear as if it is coming from the user's domain.
The attachment's file names have also been randomized. Mimail-C was packed in a file called "photos.zip." Subsequent variants have been packed in a file called "readnow.zip."
Users must unpack the .zip file and double-click on the executable file to launch the worm. The executable's file names include "photos.jpg.exe" and "readnow.doc.scr."
.Zip files are not normally blocked at the gateway the way other file extensions preferred by worm writers, like .scr, .pif and .exe, are.
"The No. 1 reason the author has used Zip files is to gain access to the gateway," Hypponen said. He advises e-mail and network administrators to test whether their antivirus scanners are successfully unpacking Mimail and to continue blocking unnecessary file extensions.
Graham Cluley, senior technology consultant with U.K.-based Sophos PLC, also advises administrators to test their antivirus software to ensure that it is indeed scanning archived files like .zip files.
"This is no way to receive messages and documents from the outside," Cluley said. "Always be suspicious of unsolicited mail and keep antivirus software up to date."