Mimail Worm Variants Launch Multi-Pronged AttackMimail Worm Variants Launch Multi-Pronged Attack

Variants of the Mimail worm released over the weekend continued to plague businesses Monday with higher-than-usual volumes of E-mail traffic as the worm propagated by stealing addresses and mass mailing itself to new unsuspecting victims.

"Get ready for the storm," warned Ken Dunham, the director of malicious code at iDefense, a security-intelligence firm.

Since Mimail.C first surfaced on Friday, four variants--dubbed Mimail.D, Mimail.E, Mimail.F, and MiMail.H--have been uncovered by security firms. All share enough characteristics, ranging from packaging their payloads in compressed .zip files to targeting specific Web sites for denial-of-service attacks, to convince analysts that one individual, or a group of attackers working together, are conducting the assault.

"This wave of MiMail attacks reveals the sophistication of the attacker ... this is not some 'script kiddie' getting lucky with spreading viruses in the wild. The author of MiMail worms has a carefully planned and calculated his attacks," said Dunham.

Chris Belthoff, a senior security analyst with anti-virus maker Sophos, agrees, although it's also possible, he said, that someone is simply cracking the code of Mimail.C, making changes, and releasing the worm back into the wild. "We may have some copycatting going on," he said.

Both analysts said that the biggest problem is the sheer number of variants, and the speed with which they've been released. "It's making it very difficult to block this at the gateway," Dunham said.

Like the worm that broke Friday, the new Mimail variants pose as E-mails from users that the recipient might know, since the worm harvests addresses from compromised machines before re-mailing itself to others.

Another characteristic shared by the variants is a .zip file attachment, which when opened, infects the target machine. Zip files, a popular format for compressing documents to send via E-mail, aren't blocked by all organizations at the E-mail gateway, since unlike executables, they're considered safer.

To compound the problem, the variants' .zip files have been purposefully corrupted, said Dunham, so that they're not correctly scanned by some anti-virus software. "The Zip files are designed to choke up some anti-virus software, making the programs give up on the scanning and move on, letting the worm through," he noted.

Belthoff, however, said that when properly configured, the Sophos anti-virus software scans the compressed files and detects the worm variations.

Among the Web sites added to the denial-of-service attack list by the new mutations are several spam information Web sites, such as Spamhaus.org and SPEWS.org, both of which were down on Monday.

Companies should aggressive update their anti-virus definitions, filter against the worms' known file attachments, scan compressed files, and most important, alert employees yet again of the danger of opening unknown or unanticipated file attachments, said the experts.

"It all comes down to the human element," said Belthoff. "People still don't understand that they shouldn't blindly open file attachments."

Although the damage to infected machines is minimal, the E-mail traffic Mimail generates as it spreads may have an impact on businesses, Belthoff said.

Security firms have pegged the Mimail worm family as a medium or moderate threat, and none have revised their threat assessments since Mimail.C showed on Friday. So far, Mimail has not shown the legs, or the potential to wreck as much havoc as, for instance, major worm attacks such as SoBig.

New tools to clean infected systems have appeared, however, including an automated utility available from Symantec's Web site that wipes out the C, D, and E variations.