TechWeb

Security Firms Raise Threat Assessment Of New Worm

Oct 31, 2003 (01:10 PM EST)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=15800381


A self-mailing worm spread at such a rapid clip Friday that several security firms raised their threat assessments to alert users of the danger.

The worm, pegged as Mimail.C by most antivirus vendors, was discovered just after midnight Friday and is a variation of similar malicious code launched in August. That trend--one successful worm tweaked to create another--is nothing new; the most notable example has been a series of worms dubbed as Sobig, whose latest incarnation last struck in August and September.

Like its predecessor, Mimail.C attempts to steal confidential information from compromised machines and send the harvested data to predetermined E-mail addresses. The actual Windows applications it pickpockets are still under investigation, says Craig Schmugar, a virus research engineer at Network Associates Inc.

The worm is also coded to perform denial-of-service attacks against a pair of Web sites, Darkprofits.com and Darkprofits.net.

Mimail.C disguises its worm payload in a .zip file labeled as PHOTOS.ZIP and tries to trick users into opening the message and launching the file by spoofing the sender address as originating from the user's own domain and using a subject heading of "Re: our private photos."

Because it's a mass-mailed worm--and collects E-mail addresses from infected Windows systems to propagate--Mimail may clog mail servers or degrade network performance, Symantec Corp. said in an E-mailed alert.

But "it's nowhere near as effective in mailing itself as was Sobig," Schmugar says. Although there could be a spike in propagation, and thus E-mail traffic, as workers leave work and fire up their home PCs, Schmugar doesn't expect the worm to reach the rate of multiplication that Sobig achieved.

Nonetheless, antivirus organizations raised their alert levels to account for the pace of Mimail's spread. Network Associates, for instance, tagged the worm as a "medium" threat, while Symantec upped its assessment from a 2 to a 3 on its 1-to-5 system to designate virus danger.

Antivirus vendors such as Network Associates and Symantec have already refreshed their virus definitions to account for Mimail, and urge their users to update.

Other tactics to stymie Mimail include filtering for the .zip extension at the E-mail gateway and configuring antivirus software to sniff for malware embedded inside compressed files, says Ken Dunham, an analyst with iDefense, a security intelligence firm.

"Many corporations allow for .zip files to be transferred to others through E-mail," Dunham said in an E-mailed statement. "As a result, Mimail.C has the upper hand when infiltrating networks configured to allow .zip attachments."

The .zip attachment also gets by Microsoft's Outlook E-mail client, which automatically blocks a number of file types--ranging from .exe to .pif--but not .zip.

Infected PCs can be cleaned using an automated removal tool posted at BitDefender Inc.'s Web site. Additionally, Network Associates has listed instructions for manually eliminating Mimail on its site.