New, Insidious Worm Spreading Fast

Dec. 12, 2003 -- This week we saw two more incarnations of the mass mailing worm, Mimail. W/32.Mimail.L, and W32/Mimail.M are similar in structure, infection and removal. They have a low to medium damage potential, and are spreading fairly rapidly.

The viruses attack through rather explicit pornographic messages, and attachments that purport to offer photos but actually include the virus. We will leave out the explicit parts in our description below, but you can see the full text at Sophos or Trend Micro's site . Sophos reports that Mimail.L has an alternate message that is sent without an attachment by an infected machine where the mass-mailing has failed. The alternate message attempts to scare victims with a claim that it is charging their credit card for child pornography.

Minmail's attachment has been reported by several antivirus companies as a compressed zip file containing an executable like previous versions of Mimial, or just the executable file. The e-mails come with one of several subject lines, Re[3] (followed by 44 blank characters and some random text), Re[2]We are going to bill your credit card:, or just Re[3].

When Mimail runs, it drops a copy of itself into the Windows folder (normally C:\Windows for XP/ME/98/95 or C:\Winnt for Windows NT/2000). It then creates registry key value to guarantee it runs when you reboot.

Infection Process

Once running, Mimail will scan your hard drive to harvest e-mail addresses from text, database, and e-mail files, and store them in a .MP file in the Windows folder. During installation, Mimail also stores copies of itself in the Windows folder, but the copies are normally deleted when the virus is finished infecting the machine.

Similar to earlier strains of Mimail, this latest version uses its own SMTP engine to send copies of itself with the original message below. The virus checks to see if the victim has a good Internet connection, and sends messages using the harvested addresses. Trendmicro reports, though, that W32/Mimail.L fails to start its mass mailing routine due to a bug in its code.

Mimail will also attempt a denial of service attack against a hard coded list of Web sites. The list differs between versions, but the attacks are similar. According to Symantec's descriptions, both versions of Mimial will attempt to start 15 threads of attack at any moment against a randomly picked site, using TCP or ICMP protocol. After each thread attack, the virus sleeps for 5 seconds before trying again. The attack packets (part of the message) are filled with random data. Symantec also reports that both also capture user data and send it to predetermined e-mail addresses.

Fact File: W32/Mimail.L-mm

FactFile Name: W32/Mimail.L-mm, W32/Mimail.M-mm,

Type: Windows 32bit Virus/worm

Affected Systems: Windows 95/98/ME, Windows NT, Windows 2000, Windows XP

Non-affected systems: Windows 3.x, Linux, Unix, OS/2, Mac

E-mail from field: spoofed

E-mail Subject field: Re[3] (followed by 44 blank characters and some random text), Re[2]We are going to bill your credit card:, Re[3]

File Attachment name: Mimail.L — wendy.zip (contains for_greg_with_love.jpg.exe), Mimail.M — only_for_greg.zip (contains for_greg.jpg.exe), may be an executable alone.