// Home / News

Mimail-L starts its rounds

Posted on 2 Dec 2003 at 11:06

Another variant of the pernicious Mimail worm has been reported in the wild: Mimail-L.

This worm, the variants of which are believed to be the creation of a single author, has previously tried to scan user's financial details, attack anti-spam websites and execute a PayPal related scam. Indeed, a previous Mimail-J was one of the fastest spreading viruses on the Net in November - New Mimail variant spreading fast.

Graham Cluley, Senior Technology Consultant at Sophos told us that Mimail-L follows a similar path. Not only does it use the host computer to launch denial of service attacks against an anti-spam organisation but it also tries to collect credit card information. Sophos calculates that 30 per cent of spam is actually sent from hijacked computer resources.

'Spam is ruining many people's experience of the internet,' said Cluley. 'This worm wages war on the anti-spam community, disrupting their attempts to keep the net spam-free. The most likely conclusion is that the writer of this worm is in some way connected with the spamming community.'

'It would be wrong for anyone to present this kind of virus writing activity as a harmless prank - this is clear criminal activity,' he added.

In a sinister twist, it informs the recipient that their credit card has been debited to pay for the child porn CDs they ordered, and that they must send their credit card details to cancel the transaction.

To start automatically with Windows, the worm modifies the Registry and copies itself as svchost.exe into the Windows folder. It will spread via email, using addresses found on the host computer and which are stored in a file xu298da.tmp, again in the Windows folder.

The Subject field of infected emails is simply 'Re[2]' and the racy message text begins: 'Hi Greg its Wendy

I was shocked, when I found out that it wasn't you but your twin brother!!!'

You can find more information about Mimail-L on the Sophos website.