Mimail variants spreading, target antispam sites
NOVEMBER 03, 2003 ( IDG NEWS SERVICE ) -



New versions of the Mimail e-mail worm are circulating on the Internet, according to alerts issued today from leading antivirus software companies.
The new variants are similar to a version of the worm that appeared last week, Mimail.C, and they contain instructions to launch distributed denial-of-service (DDoS) attacks against a number of antispam and e-commerce Web sites, according to alerts posted by Sophos PLC, Symantec Corp. and others.

The new variations, dubbed Mimail.E, Mimail.F and Mimail.H, all spread using e-mail messages taken from the hard drives of computers the worm infects, Sophos said.

Like other mass-mailing worms, Mimail targets machines running Microsoft Corp.'s Windows operating system and makes changes to the Windows configuration on machines to ensure the worm runs automatically whenever Windows starts, Sophos said.

The worm first appeared in August and tricked users by appearing to come from an administrator from their own Web domain. On Friday, a variant of Mimail, Mimail.C, began to spread and infected machines worldwide (see story).

The new variants have a different subject line and message body than either of the earlier versions of Mimail, according to Sophos. They also expand the list of Web sites targeted for DDos attacks, adding prominent spam blacklist sites such as www.spews.org and www.spamhaus.org to the list of targets, as well as e-commerce sites such as www.mysupersales.com, Sophos said.

While some of the target sites were unreachable today, most continued to operate, partly because of the low infection rate of the new variants, according to Chris Belthoff, a senior security analyst at Sophos. The company first detected the new variants over the weekend, Belthoff said.

Though they are different from the first Mimail worm and the Mimail.C variant, the new Mimail variants are similar to one another, Belthoff said. All are transmitted in an e-mail file attachment named readnow.zip. Users who open the compressed Zip file find the worm program, which they must also click on to decompress and run the program, infecting their computer, he said

The new variants also come in e-mail messages with the same subject line, "don't be late!" and a similar message body that reads in part, "Will meet tonight as we agreed, because on Wednesday I don't think i'll make it, so don't be late."

The new worm versions "don't show a lot of imagination," according to Belthoff. Even without antivirus software, users could filter messages based on the attachment name or subject line and be confident of stopping the new Mimail varieties, he said.

The simple structure of the worm and the seemingly random list of target Web sites may be evidence that the latest Mimail versions are "me too" copies that unsophisticated virus writers spun off from Mimail.C, Belthoff said.

Sophos as well as Symantec posted updated virus definitions for their products to stop the new variants, as well as instructions for removing Mimail from systems that have been infected.


http://www.computerworld.com/securi...1,86803,00.html


W32/Mimail-H

W32/Mimail-F

W32/Mimail-E

W32/Mimail-C

Dr_Evil