The author of the Mimail worm has found a novel way to bypass antivirus scanners. E-mail messages have been circulated during the past 24 hours containing a download program packed in a .zip file that retrieves the Mimail worm from a Russian Web site.
The mmdload-A Trojan is packed in a .zip file called paypal.zip. It is attached to an e-mail that has the subject line "PAYPAL.COM NEW YEAR OFFER." If the attachment is opened, the program downloads a copy of the Mimail-P worm from a Russian Web site.
While such an attack lacks the potential bang of an aggressive mass-mailing worm, it is shrewd because the Trojan will likely squeak by antivirus scanners. Its punch may be limited by the fact that each e-mail has to be manually sent because the downloader cannot propagate itself.
"Possibly it is a lot easier to create new loaders than new viruses, which could make it harder to detect that malware," said a German software developer who received the worm this morning and asked not to be named. "If this works as they expect, I'm sure we will see a new wave of similarly made mass mailings that are faked to look like something that readers can trust and encourage them to execute the attached binary file."
In some ways, the Mimail-P e-mail attack is similar to the Xombe Trojan that hit last Friday and purported to be a Microsoft security alert. The Xombe malicious attachment was actually a small download program that retrieved another downloader. The second program downloaded an HTTP client that conducted a denial-of-service attack on a Russian discussion board.
With the e-mail carrying the new Trojan, the body text is identical to that which accompanies Mimail-P, which began spreading about a week ago. Mimail-P tries to lure people into opening the attachment by saying that 10% will be added to the user's PayPal account. PayPal is a service owned by online auction site eBay. The service allows people to send money online.
"Mimail worms are increasing in their sophistication and techniques used to launch attacks, not unlike the developmental nature of Sobig worms seen in 2003," said Ken Dunham, director of malicious code at iDefense Inc., in a statement.
The Sobig family of worms gained significant traction last year. Almost every month, a new variant appeared that had new features. Many experts believe the worms were being used by a group to create open relays for spammers. Several Sobig versions dropped spam-routing software into infected machines.
The Mimail worms seem to be following a similar path. They don't create open relays but they do try to steal sensitive information such as credit card and Social Security numbers from recipients. Other variants have attacked antispam sites. Mimail-P, for example, searches systems for e-mail addresses and then saves ones matching certain criteria (such as having ".com" or ".uk" as part of the address). It then sends them to a Web site, most likely to be used for spamming.
"Money is the motive, resulting in new Mimail attacks on a regular basis," Dunham said. "It's almost like clockwork now, with new Mimail variants expected every few days."