Subscribe

Mimail family rampages across Internet

By Tracy Burrows, ITWeb contributor.
Johannesburg, 03 Dec 2003

Variants of the Mimail worm accounted for up to half of all virus attacks last month, with a new variant waging war against anti-spam sites.

Anti-virus firm Sophos says Mimail variants accounted for 28% of the most-reported viruses in November, while Central Command notes that over half of its "Dirty Dozen" list of November`s worst viruses were Mimail variants.

Kaspersky Labs says a total of 62% of its top 20 most widespread viruses list were Mimail variants, with Mimail-C the most troublesome. It accounted for 34.57% of all registered incidences.

Local Sophos distributor Netxactics says the latest Mimail variant, W32/Mimail-L, attempts to knock anti-spam sites off the Internet, and appears to be a criminal act connected with the spamming community. This is not the first Mimail to spread like spam and wage war on anti-spam sites.

Central Command sees the Mimail blitz as the start of virus writing for financial gain. "As is the case with Worm/MiMail.I and Worm/MiMail.J, we are beginning to see the emerging pattern of writing computer viruses for financial gain," says Steven Sundermeier, VP of products and services at Central Command.

"This increasing trend can have a serious effect on users, beyond the normal risk of computer corruption, by destroying their livelihood. Confidential information such as credit card and bank account information is regularly sought."

Netxactics CEO Brett Myroff warns that Mimail-L spreads via a graphic e-mail apparently from a woman called Wendy and offering naked photographs. If the attachment is opened, the worm is activated and uses the victim`s computer to launch a denial of service attack on Web sites run by groups that fight spam. Among them are SpamCop, SPEWS and The Spamhouse Project.

If the worm fails to send its usual message correctly, it takes another shot at the anti-spam community by sending an alternative e-mail saying the recipient`s credit card details have been debited and that a selection of child porn CDs will arrive in the post. The message tells the recipient that if they want to cancel the order for child porn, they should e-mail an address at an anti-spam organisation.

"This worm wages war on the anti-spam community, disrupting their attempts to keep the Internet spam-free. The most likely conclusion is that the writer of this worm is in some way connected with the spamming community," Myroff says. "It would be wrong for anyone to present this kind of virus writing activity as a harmless prank - this is clear criminal activity."

Myroff adds that some of the other variants of the Mimail worm pose as "private photos" taken at the beach. These variants target a number of different Web sites with denial of service attacks.

While Mimail variants dominated the major anti-virus vendors` `problem lists`, a German newcomer emerged as the most problematic new virus of the month. The virus, W32/Sober A, is a worm that arrives in a number of disguises.

"Sober-A sneakily disguises itself using a number of subject titles and messages, making it difficult to spot with the naked eye," says Graham Cluley, a senior technology consultant at Sophos. "It can even present itself in German if it thinks it is being examined on a German user`s computer."

Share