Though only a few days old, December is becoming Mimail's month. A new variant of the worm appeared Wednesday, but experts don't expect it will gain much traction.
Mimail-M is similar to the next-most recent variant, Mimail-L, which appeared earlier this week, in that it arrives with a text message, written in broken English, that talks about a sexual encounter. Additionally, Mimail-M, like Mimail-L, promises photos of a nude woman to entice recipients into opening the attachment and executing the worm.
The novel thing about Mimail-M is that it arrives in a password-protected .zip file with the password "kiss" included in the text message. This technique could help the worm spread because some gateway antivirus scanners won't catch it, experts said. Also, some companies mandate that .zip files be password protected for security reasons.
Yet, to some, receiving a password with a password-protected file may seem fishy. Only copies of the worm sent from the creator are encrypted. When it infects a system, the worm doesn't send out encrypted copies of itself.
Despite the new twists, the worm doesn't seem to be spreading much on its own, said Mikko Hypponen, manager of antivirus research for Finland-based F-Secure Corp. It was well seeded using spamming techniques, but its mailing routine doesn't seem to be working, he said.
Another difference with Mimail-M is that it tries to launch a denial-of-service attack against the Darkprofits Web site, which has been linked with credit card swapping. Mimail-L and other variants have targeted antispam sites as well as Darkprofit.
Hypponen can't say why Mimail's creator would target antispam groups and a shadowy group involved with credit card swapping. "It's probably a personal fight or something like that," he said.
It's also hard to say whether one person or group is behind Mimail-M or whether the code for the worm is being distributed, Hypponen said.
"If there is a kit for making the worm, we haven't seen it yet," he said. "There are still a lot of questions about Mimail that we don't have answers for."