New, Insidious Worm Spreading Fast
Dec. 12 -- This week we saw two more incarnations of the mass mailing worm, Mimail. W/32.Mimail.L, and W32/Mimail.M are similar in structure, infection and removal. They have a low to medium damage potential, and are spreading fairly rapidly.
The viruses attack through rather explicit pornographic messages, and attachments that purport to offer photos but actually include the virus. We will leave out the explicit parts in our description below, but you can see the full text at Sophos or Trend Micro's site . Sophos reports that Mimail.L has an alternate message that is sent without an attachment by an infected machine where the mass-mailing has failed. The alternate message attempts to scare victims with a claim that it is charging their credit card for child pornography.
Minmail's attachment has been reported by several antivirus companies as a compressed zip file containing an executable like previous versions of Mimial, or just the executable file. The e-mails come with one of several subject lines, Re[3] (followed by 44 blank characters and some random text), Re[2]We are going to bill your credit card:, or just Re[3].
When Mimail runs, it drops a copy of itself into the Windows folder (normally C:\Windows for XP/ME/98/95 or C:\Winnt for Windows NT/2000). It then creates registry key value to guarantee it runs when you reboot.
Infection Process
Once running, Mimail will scan your hard drive to harvest e-mail addresses from text, database, and e-mail files, and store them in a .MP file in the Windows folder. During installation, Mimail also stores copies of itself in the Windows folder, but the copies are normally deleted when the virus is finished infecting the machine.
Similar to earlier strains of Mimail, this latest version uses its own SMTP engine to send copies of itself with the original message below. The virus checks to see if the victim has a good Internet connection, and sends messages using the harvested addresses. Trendmicro reports, though, that W32/Mimail.L fails to start its mass mailing routine due to a bug in its code.
