Mimail variants spreading, target antispam sites

New versions of the Mimail e-mail worm are circulating on the Internet, according to alerts issued Monday from leading antivirus software companies.

The new variants are similar to a version of the worm that appeared last week, Mimail.C, and contain instructions to launch distributed denial of service (DDoS) attacks against a number of antispam and e-commerce Web sites, according to alerts posted by Sophos, Symantec and others.

The new variations, dubbed Mimail.E, Mimail.F and Mimail.H all spread using e-mail messages taken from the hard drives of computers the worm infects, Sophos said.

Like other mass mailing worms, Mimail targets machines running Microsoft Corp.'s Windows operating system and makes changes to the Windows configuration on machines it infects that ensures the worm runs automatically whenever Windows starts, Sophos said.

The worm first appeared in August and tricked users by appearing to come from an administrator from their own Web domain.

On Friday, another variant of Mimail, Mimail.C, also began spreading and infecting machines worldwide.

The new worm variants have a different subject line and message body than either of the earlier versions of Mimail, according to Sophos.

They also expand the list of Web sites targeted for distributed denial of service attacks, adding prominent spam blacklist sites such as www.spews.org and www.spamhaus.org to the list of targets, as well as e-commerce sites such as www.mysupersales.com, Sophos said.

While some of the target sites were unreachable on Monday, most continued to operate, due in part to the low infection rate of the new variants, according to Chris Belthoff, senior security analyst at Sophos.

Sophos first detected the new variants over the weekend, Belthoff said.

Though they are different from the first Mimail worm and the Mimail.C variant, the new Mimail variants are similar to each other, Belthoff said.

All the new variants are transmitted in an e-mail file attachment named readnow.zip. Users who open the compressed ZIP file find the worm program, which they must also click on to decompress and run the program, infecting their computer, he said

The new variants also come in e-mail messages with the same subject line, "don't be late!" and a similar message body which reads, in part: "Will meet tonight as we agreed, because on Wednesday I don't think i'll make it, so don't be late."

The new worm versions "don't show a lot of imagination," according to Belthoff.

Even without antivirus software, users could filter messages based on the attachment name or subject line and be confident of stopping the new Mimail varieties, he said.

The simple structure of the worm and the seemingly random list of target Web sites may be evidence that the latest Mimail versions are "me too" copies, which unsophisticated virus writers spun off from the recent Mimail.C worm, Belthoff said.

Sophos as well as Symantec posted updated virus definitions for their products to stop the new variants, as well as instructions on removing Mimail from systems that have been infected.

Join the newsletter!

Error: Please check your email address.

More about MicrosoftSophosSymantec

Show Comments