Yet Another Mass-Mailed Worm Is Spreading Fast

The worm, pegged as Mimail.C by most anti-virus vendors, was discovered just after midnight Friday, and is a variation of similar malicious code launched in August. That trend, one successful worm tweaked to create another, is nothing new; the most notable example has been a series of worms dubbed as Sobig, whose latest incarnation last struck in August and September.

Like its predecessor, Mimail.C attempts to steal confidential information from compromised machines and send the harvested data to pre-determined e-mail addresses. The actual Windows applications it pickpockets are still under investigation, said Craig Schmugar, a virus research engineer with Network Associates.

The worm is also coded to perform denial-of-service (DoS) attacks against a pair of Web sites, darkprofits.com and darkprofits.net. As of mid-day Friday, both sites were offline and unavailable.

Mimail.C disguises its worm payload in a .zip file labeled as PHOTOS. ZIP, and tries to trick users into opening the message and launching the file by spoofing the sender address as originating from the user's own domain, and using a subject heading of "Re: our private photos."

Because it's a mass-mailed worm -- and collects e-mail addresses from infected Windows systems to propagate -- Mimail may clog mail servers or degrade network performance, said Symantec in an e-mailed alert.

But "it's nowhere near as effective in mailing itself as was Sobig," said Schmugar. Although there could be a spike in propagation, and thus e-mail traffic, later Friday as workers leave work and fire up their home PCs, Schmugar doesn't expect the worm to reach the rate of multiplication that Sobig achieved.

Nonetheless, anti-virus organizations raised their alert levels to account for the pace of Mimail's spread. Network Associates, for instance, now tags the worm as a 'medium' threat, while Symantec upped its assessment from a '2' to a '3.' Symantec uses a 1 through 5 point system to designate virus danger.

Anti-virus vendors such as Network Associates and Symantec have already refreshed their virus definitions to account for Mimail, and urge their users to update.

Other tactics to stymie Mimail include filtering for the .zip extension at the e-mail gateway. and configuring anti-virus software to sniff for malware embedded inside compressed files, said Ken Dunham, an analyst with iDefense, a security intelligence firm based in Reston, Va.

"Many corporations allow for .zip files to be transferred to others through e-mail," said Dunham in an e-mailed statement. "As a result, Mimail.C has the upper hand when infiltrating networks configured to allow .zip attachments."

The .zip attachment also gets by Microsoft's Outlook e-mail client, which automatically blocks a number of file types -- ranging from .exe to .pif -- but not .zip.

Infected PCs can be cleaned using an automated removal tool posted at BitDefender, Inc.'s Web site. Additionally, Network Associates has listed instructions for manually eliminating Mimail on its site.

This story courtesy of TechWeb.