News Stay informed about the latest enterprise technology news and product updates.

New Mimail variants take aim on spam blacklists

The author of the Mimail worm has unleashed four variants since Friday. Though the payload is harmless, Mimail does generate a denial-of-service attack against antispam sites and could clog internal e-mail servers as it generates volumes of mail.

Four variants of the Mimail worm have been reported since Friday, each traveling the Internet packed in a .zip...

file and each with its sights set on taking down antispam Web sites.

Mimail-C, which first appeared on Friday, has enjoyed high distribution, but its damage potential is low, experts say. Other variants have appeared since Friday with modified subject lines and message text, techniques that the author has used in an attempt to elude antivirus scanners, one expert said.

The variants, Mimail-D, -F and -H, have the common denominator of being packed in a .zip file, a file type not normally blocked at the gateway by e-mail and network administrators. Once a user opens the .zip and the infected file, the worm searches the system for e-mail addresses and mails itself using its self-contained SMTP engine. Mimail can infect Windows 2000, NT, XP, 98, ME and 95 systems.

It also attempts to launch a denial-of-service attack on spam blacklist sites like, and, among others.

Administrators who may have filtered for Mimail-C on Friday using its static subject lines and message body need to be aware that that text has changed with the variants. The author has also apparently corrupted a header in the .zip file in order to confuse antivirus scanners.

"This Zip is corrupted, and I believe the author has done this on purpose," said Mikko Hypponen, manager of antivirus research for Helsinki, Finland-based F-Secure Corp. "One byte in a header has been corrupted, and I think this has been done so that antivirus scanners cannot unpack the Zip successfully and examine its contents. It can, however, still be unpacked by the user."

Hypponen said early this morning that he had not heard from any antivirus vendors about their tools' having problems unpacking a Mimail-infected .zip to confirm his theory.

The Mimail variants arrive with a 30-space subject line containing random messages like "don't be late," "our private photos," and others. The text contains a suggestive message between paramours promising romantic pictures taken at the beach. The sender is either Joe or James, and the message will likely be spoofed to appear as if it is coming from the user's domain.

The attachment's file names have also been randomized. Mimail-C was packed in a file called "" Subsequent variants have been packed in a file called ""

Users must unpack the .zip file and double-click on the executable file to launch the worm. The executable's file names include "photos.jpg.exe" and "readnow.doc.scr."

.Zip files are not normally blocked at the gateway the way other file extensions preferred by worm writers, like .scr, .pif and .exe, are.

"The No. 1 reason the author has used Zip files is to gain access to the gateway," Hypponen said. He advises e-mail and network administrators to test whether their antivirus scanners are successfully unpacking Mimail and to continue blocking unnecessary file extensions.

Graham Cluley, senior technology consultant with U.K.-based Sophos PLC, also advises administrators to test their antivirus software to ensure that it is indeed scanning archived files like .zip files.

"This is no way to receive messages and documents from the outside," Cluley said. "Always be suspicious of unsolicited mail and keep antivirus software up to date."

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.