Mass-mailing worm Mimail-A all set to burrow across Atlantic

By Alun Williams

Posted on 4 Aug 2003 at 11:54

Sophos has issued a full emergency alert regarding a Mimail-A worm.

The mass mailing worm has already been detected in the States, as of Friday 1 August, and the concern is that it will spread rapidly in the UK from the beginning of this working week.

'The Mimail worm is getting a second lease of life as UK businesses log on to start a new working week,' said Graham Cluley, senior technology consultant at Sophos Anti-Virus. 'While US firms have been patching their systems against this threat, their UK counterparts have been enjoying a sunny weekend, blissfully unaware that a virus is sitting on their email system just waiting to be unleashed.'

With a subject line beginning 'your account' and an attachment of message.zip, the message text is:

'Hello there, I would like to inform you about important information regarding your email address. This email address will be expiring.
Please read attachment for details.
---
Best regards, Administrator'

It exploits an Outlook vulnerability - a patch for which was made available in April - involving an unchecked buffer in the MHTML URL Handler (MIME Encapsulation of Aggregate HTML, which specifies HTML content in email message bodies).

To spread itself, the worm will work its way through the email addresses it finds on your hard drive. Apparently, it can spoof the domain name of the recipient's email address - purporting to come from admin@yourdomain.com.

Sophos says that it has already received many reports of the worm in the USA, hence the scale of the warning issued.

More information, and a virus identity file, can be found at www.sophos.com/virusinfo/analyses/w32mimaila.html