Mimail-M sent through home computers

By Matt Whipp

Posted on 4 Dec 2003 at 12:52

British Internet security firms have alerted users to the presence of Mimail-M, which is already in the wild, thanks to thousands of home computers being used to send it out.

Mimail-M picks up from the L-variant with the same pornographic message detailing the various love trysts between Wendy and the twins, and again has an attachment that purports to contain pictures of the encounter. The attachment is a password protected zip file - a ploy designed to hopefully bypass any antivirus software as such programs may not scan zip files by default.

But as well as harvesting contact addresses and sending itself onto them, the author has also created a separate instance of the virus which he or she is mass-mailing by hand.

'He's trying to feed the infection,' said Graham Cluley, senior technology consultant at Sophos. 'But we don't think he's being very successful.'

MessageLabs agrees. It says it has stopped around 1,000 of these 'seed' copies, but has yet to intercept a genuine instance where the virus has been sent on from an infected computer.

While Mimail-M doesn't look that threatening for now, there is one disturbing danger. Paul Wood, principal information security analyst at MessageLabs told us that the seed sopies are being sent out 'using spam software that goes through a database of open proxies.'

These open proxies are computers with a broadband connection that have been infected with a virus, allowing remote control for various purposes including sending spam.

The fact that the all these IP addresses have been collected into a database and sold as a feature of spam software should be alarming enough, but Wood revealed more about the extent of the problem. 'No more than 10 copies [of Mimail-M] are going through any one individual IP address,' he said.

While this helps disguise the origination of the spammer and helps ensure that those IP addresses don't end up on antispam blacklists, it also indicates quite how many of these 'open proxies' are out there. Wood agreed that they must number hundreds of thousands.

'They are the air supply of spammers,' he said.

Mimail-M also attempts a denial of service attack on the numerous websites of Dark Profits - an organisation often advertised in spam. A spokesperson for MessageLabs said: 'This is a growing trend in the spam wars.'

Previous variants of Mimail have targeted antispam sites with DoS attacks - further evidence of the increasing collusion of spammers with virus writers.

For more information, visit the Sophos and MessageLabs websites.