Mimail worm tops virus chart
Published: 04 Aug 2003 08:40 BST
A new Windows mass-mailing virus, which disguises itself as a file sent by a computer user's network administrator, began infecting systems on Friday and quickly rose to the top of the virus charts on Monday.
The worm, which is being dubbed "Mimail", attempts to exploit a vulnerability in Internet Explorer that allows a script to be executed by an infected computer. The worm then tries to use that script to mass email itself, potentially clogging mail servers or slowing down networks, according to antivirus company Symantec.
The worm spread widely on Friday, with the bulk of messages affecting computers in the US, according to data from UK email provider MessageLabs. The firm bases its figures on the number of copies of the worm stopped by its customers' email servers around the world. On Friday, MessageLabs stopped more than 25,000 copies of Mimail, and after an expected drop-off over the weekend, collected more than 10,000 copies by 13:00 BST on Monday. These figures put Mimail at the top of MessageLabs' virus charts, ahead of Klez and Yaha.
The arrival of Mimail comes amid heightened fears that a large-scale attack on the Internet could be looming. The US federal government warned this week that a widespread flaw in Windows could be used to generate an attack.
The email that carries the worm has "your account" in the subject line, according to Symantec, and the body reads, "Hello there, I would like to inform you about important information regarding your email address. This email address will be expiring. Please read attachment for details."
It is then signed "Best regards, Administrator" and contains an attachment labeled "message.zip" that carries the malicious code.
In its method, the mimail bug is somewhat similar to other mass-mailing worms, said Sharon Ruckman, a senior director at Symantec Security Response. What's trickier than usual, she said, is the way the email that carriesthe worm tries to get people to open the attachment.
"The social engineering aspect (is) a lot more serious," Ruckman said. "You believe it was the administrator from your own domain, whether that is your company or your ISP."
Also of note, Ruckman said, is that the mass emailing code is contained in an HTML file, a type of file not normally associated with executing programs. Ruckman recommended that corporations either delete the attachments at the server level or block messages with the "your account" subject line.
ZDNet UK's Matthew Broersma contributed to this report.
Did you find this article useful?
77 out of 130 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
