Mimail Worm Spawns Variants

New versions of the Mimail e-mail worm are circulating on the Internet, according to alerts issued Monday from leading antivirus software companies.

The new variants are similar to a version of the worm that appeared last week, Mimail.C, and contain instructions to launch distributed denial of service (DDoS) attacks against a number of antispam and e-commerce Web sites, according to alerts posted by Sophos, Symantec, and others.

The new variations, dubbed Mimail.E, Mimail.F, and Mimail.H all spread using e-mail messages taken from the hard drives of computers the worm infects, Sophos said.

Like other mass-mailing worms, Mimail targets machines running Microsoft's Windows operating system and alters the Windows configuration on those machines it infects to ensure that the worm runs automatically whenever Windows starts, Sophos said.

Lengthy History

The worm first appeared in August and tricked users by appearing to come from an administrator from their own Web domain.

On Friday, another variant of Mimail, Mimail.C, also began spreading and infecting machines worldwide.

The new worm variants have a different subject line and message body than either of the earlier versions of Mimail, according to Sophos.

They also expand the list of Web sites targeted for DDoS attacks, adding prominent spam blacklist sites such as www.spews.org and www.spamhaus.org to the list of targets, as well as e-commerce sites such as www.mysupersales.com, Sophos said.

While some of the target sites were unreachable on Monday, most continued to operate, due in part to the low infection rate of the new variants, according to Chris Belthoff, senior security analyst at Sophos.

Sophos first detected the new variants over the weekend, Belthoff says.

Similar Story

Though they are different from the first Mimail worm and the Mimail.C variant, the new Mimail variants are similar to each other, Belthoff says.

All the new variants are transmitted in an e-mail file attachment named readnow.zip. Users who open the compressed ZIP file find the worm program, which they must also click on to decompress and run the program, infecting their computer, he says.

The new variants also come in e-mail messages with the same subject line, "don't be late!" and a similar message body that reads, in part: "Will meet tonight as we agreed, because on Wednesday I don't think i'll make it, so don't be late."

The new worm versions "don't show a lot of imagination," according to Belthoff.

Even without antivirus software, users could filter messages based on the attachment name or the subject line and be confident of stopping the new Mimail varieties, he says.

The simple structure of the worm and the seemingly random list of target Web sites may be evidence that the latest Mimail versions are "me too" copies, spun off from the recent Mimail.C worm by unsophisticated virus writers, Belthoff says.

Sophos and Symantec each posted updated virus definitions of the new variants, as well as instructions on removing Mimail from systems that have been infected.

Subscribe to the Security Watch Newsletter

Comments