UK Firms Waking Up To Mimail Attack

Sophos is urging UK firms to take immediate action against the new Mimail worm (W32/Mimail-A), a mass-mailing worm which first struck in the United States on Friday 1st August. Sophos has received many reports of Mimail infections and anticipates the worm could be one of the biggest of 2003.

Sophos’s UK customer support team has seen a heavy increase in the number of reported infections since UK businesses reopened on Monday 4th August. This suggests that employees have come to work on Monday morning, opened the offending email – which claims to be from their IT department – causing it to propagate to all their email contacts.

“The Mimail worm is getting a second lease of life as UK businesses log on to start a new working week,” said Graham Cluley, senior technology consultant, Sophos Anti-Virus. “While US firms have been patching their systems against this threat, their UK counterparts have been enjoying a sunny weekend, blissfully unaware that a virus is sitting on their email system just waiting to be unleashed. Businesses need to seriously consider switching to automatic anti-virus updates which can be pushed out proactively as soon as a new virus hits.”

The Mimail worm arrives in an email claiming to be from the network administrator. Cunningly, it can even spoof the domain name of the business’s email address. For instance, if the recipient’s email address is John.Smith@ABCLimited.com the email would appear to come from admin@ABCLimited.com.
v The message suggests that the recipient’s email account will soon expire and urges them to read the attached information. The attachment, called ‘message.zip’, contains an HTML file which is not a message at all – it is a copy of the worm, which scours the user’s hard disk looking for email addresses for its next round of victims.

“Mimail’s author has gone to great lengths to disguise his code as a legitimate email,” continued Cluley. “However Mimail’s text does leave a vital clue that it is a rogue email – business email accounts don’t expire. Users need to think carefully before they launch any attachment, even if it does appear to come from a bona fide email address.”

The Mimail worm works by exploiting an old vulnerability in the Microsoft operating system. A patch against this vulnerability has been available to download for months. Once the patch is applied, networks will be immune from infection from Mimail.

More information about the Mimail worm can be found at
http://www.sophos.com/virusinfo/analyses/w32mimaila.html