Mimail worm variants attack antispam sites

Antivirus software companies have warned that new versions of the Mimail e-mail worm are circulating on the internet, which have...

Antivirus software companies have warned that new versions of the Mimail e-mail worm are circulating on the internet, which have targeted prominent spam blacklist sites.

The latest variants are similar to a version of the worm that appeared last week, Mimail.C, and contain instructions to launch distributed denial-of-service (DDoS) attacks against a number of antispam and e-commerce websites, according to alerts posted by Sophos, Symantec and others.

Mimail.E, Mimail.F and Mimail.H all spread using e-mail messages taken from the hard drives of computers the worm infects. Like other mass-mailing worms, Mimail targets machines running Microsoft Windows and makes changes to the Windows configuration on machines it infects which ensure that the the worm runs automatically whenever Windows starts.

The worm first appeared in August and tricked users by appearing to come from an administrator from their own web domain. However, last Friday another variant of Mimail, Mimail.C, also began spreading and infecting machines worldwide.

The variants have a different subject line and message body than either of the earlier versions of Mimail.

Spam blacklist sites such as www.spews.org and www.spamhaus.org have been hit, as well as e-commerce sites such as www.mysupersales.com.

While some of the target sites were unreachable yesterday, most continued to operate, partly because of the low infection rate of the variants, according to Chris Belthoff, senior security analyst at Sophos.

All the new variants are transmitted in an e-mail file attachment named readnow.zip. Users who open the compressed Zip file find the worm program, which they must also click on to decompress and run the program, infecting their computer in the process

The variants also come in e-mail messages with the same subject line, "don't be late!" and a similar message body which reads, in part: "Will meet tonight as we agreed, because on Wednesday I don't think i'll make it, so don't be late."

Belthoff said the latest variants "don't show a lot of imagination". Even without antivirus software, users could filter messages based on the attachment name or subject line and be confident of stopping the new Mimail varieties.

The simple structure of the worm and the seemingly random list of target websites may be evidence that the latest Mimail versions are "me too" copies, which unsophisticated virus writers spun off from the recent Mimail.C worm.

Sophos and Symantec posted updated virus definitions for their products to stop the latest variants, as well as instructions on removing Mimail from systems that have been infected.

Paul Roberts writes for IDG News Service

Read more on IT risk management