News Stay informed about the latest enterprise technology news and product updates.

New Mimail variant more trick than treat

A variant of the mass-mailing Mimail worm surfaced today, and administrators are being warned that it's spreading quickly. The worm, which spreads as a Zip file, is not particularly destructive, but it could cause network bottlenecks.

A new variant of the Mimail worm emerged today. While it appears not to be particularly destructive, it does seem...

to have gained some traction.

Both Trend Micro Inc. and Network Associates' Antivirus Emergency Response Team (AVERT) have assigned Mimail-C a medium alert rating because of its prevalence. Symantec Security Response has upgraded its assessment of Mimail-C, now calling it a Category 3 threat, as has F-Secure Corp. AVERT first started tracking the worm at 11 a.m. GMT, and it has progressed steadily through 2 p.m. GMT.

"We have had calls from our customers who blocked a couple thousand copies of it at their gateways," said Vincent Gullotto, vice president of AVERT.

Mimail-C is mass-mailing worm. Like previous versions, it travels as a .zip file attached to a message. When run, it scans the infected system for e-mail addresses to harvest. It then uses its own SMTP (Simple Mail Transfer Protocol) engine to send copies of itself. It can infect Windows 95, 98, ME, NT, 2000 and XP machines.

The worm also arrives using the domain name of the recipient with the user name "James." So, for example, if the message was sent to someone with the domain name, the message would appear to come from "".

The worm does have a new trick. Namely, it tries to send code to a Web site, perhaps as part of a denial-of-service attack, Gullotto said. This could hurt companies hit hard by Mimail-C, because outbound traffic could slow down internal networks.

Experts said the worm's traction is surprising because its social engineering isn't very good. It does imply the .zip file contains pictures, but unlike recent worms that use varying subject lines and message text combinations, Mimail-C uses the same text over and over:

Subject: Re[2]: our private photos

Message Body:
Hello Dear!,
Finally, i've found possibility to right u, my lovely girl :)
All our photos which i've made at the beach (even when u're withou ur bh:))
photos are great! This evening i'll come and we'll make the best SEX :)
Right now enjoy the photos.
Kiss, James.

Attachment: which contains photos.jpg.exe

In theory, sending a worm as a .zip file shouldn't work well because another application is needed to open it, Gullotto said. In other words, "It's not just a matter of double-clicking on an attachment," he said.

Worm writers have preferred sending their creations with file extensions such as .scr, .exe. or .pif. Many enterprises strip these files at the gateway, but blocking .zip files wouldn't be as easy. Gullotto recommends companies set a policy that .zip files only be sent password protected. If a .zip file arrives, it shouldn't be opened unless it requires a password, he said.

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.