Mimail, a new Internet worm that spreads via e-mail, is on the loose, mainly in the U.S., according to security companies.
Mimail, similar to the Klez worm, spreads itself by using two Internet Explorer vulnerabilities for which Microsoft Corp. has already released patches, according to the Panda Software Virus Laboratory in Glendale, Calif. The subject line is “your account,” which is followed by a random number.
The infected mail, which contains a false sender address – making it difficult to identify the real sender – appears to come from the recipient’s technology staff, according to a statement from Moscow-based security company, Kaspersky Labs International, which believes Mimail is the work of Russian virus writers.
The message in the e-mail is, “Hello there, I would like to inform you about important information regarding your e-mail address. This e-mail address will be expiring. Please read attachment for details. Best regards, Administrator.” It also has an attached file: message.zip.
If the user opens the attached HTML file, the built-in Java script enters via Exploit.SelfExecHTML and copies itself onto disk files. It then releases a carrier-file named VIDEODRV.EXE and registers this file in the Windows autorun register. VIDEODRV.EXE is then launched every time the computer is rebooted, according to Kaspersky Labs.
Symantec Corp. and McAfee Security for Consumers described the worm, which has also been called W32/Mimail@MM, as carrying a moderate risk.
According to a statement from Cupertino, Calif.-based Symantec, the message.zip attachment contains only one file, Message.htm, which uses a code base exploit to create a copy of the worm named Foo.exe in the Temporary Internet Files folder and then runs it. The compression method for this file inside the .zip file is stored so that there is no compression used at all.
Sunnyvale, Calif.-based McAfee Security said in its advisory about the worm that once the W32/Mimail@MM worm infects a computer, it first tries to determine if the infected system is connected to the Internet by trying to contact Google.com. After determining that, it then begins to try to e-mail itself to other users.
Kaspersky Labs said Mimail continues to spread by sending copies of itself to all the e-mail addresses in an infected computer’s address book.
“We were lucky this time,” said Eugene Kaspersky in a statement. “Mimail is a relatively harmless worm with no serious side effects. The danger is that Mimail takes advantage of a vulnerability in the Internet Explorer, which provides a dangerous precedent for other virus writers and hackers.”