Our mail servers just got bombarded with this worm. Symantec is not certain about the exact payload at this time so keep your eyes open for a signature update very soon.


http://[email protected]

Symantec Security Response is currently analyzing a new worm which spreads via email. The email will have the following characteristics:

Subject: your account %s
Attachment: message.zip

Note: %s refers to a variable string.

This worm attempts to exploit a vulnerability in Internet Explorer which allows a script to execute in the Local computer. Previously it was reported that this vulnerability was addressed by a Microsoft patch, but this undetermined at this time. For additional information please see http://www.securityfocus.com/bid/6961.

The worm is UPX packed.

Additional information will be provided as analysis continues.

Virus definitions with a version number of 50801r, also known as August 1, 2003 rev 18, or greater will detect this threat.


Also Known As: WORM_MIMAIL.A [Trend], W32/Mimail@MM [McAfee], Win32.Mimail.A [CA]

Type: Worm
Infection Length: approximately 16kb



Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, OS/2, UNIX, Linux

If you have Norton AV, you can download the signature update via the normal live update process or you can manually grab them here:
http://securityresponse.symantec.com....download.html