An e-mail worm posing as a system administrator message was rapidly spreading over the Internet as workers returned to the office Monday and unwittingly contributed to its proliferation by opening attachments.
The worm, dubbed “MiMail,” indicates to receivers that their e-mail account will soon expire and tricks users into opening an attachment that contains malicious software — called “malware” — designed to spread itself.
While there was an insurgence of infection over the weekend and early on Monday, security experts said the worm is not likely to cause Internet slowdowns and probably will die down as antivirus software begins to defend against it.
“It’s a level three out of five with most AV vendors, which is fairly severe, but there’s really nothing to indicate it’s going to get worse,” ISS X-Force engineering manager Dan Ingevaldson told TechNewsWorld.
The spread of the worm, which was discovered Friday, so far has been concentrated in the United States and increased as office computers were turned on to start the work week, Ingevaldson said.
“These sorts of things tend to propagate with the rising and setting of the sun because they use e-mail,” he said. “It’s a case of the weekend being over and people back to work on Monday.”
Ingevaldson credited the time lag between the spreading e-mail worm and updated antivirus definitions, or signatures, for MiMail’s propagation.
“It shows there are some limitations to traditional antivirus,” he said, adding that MiMail is intended only to spread and does not destroy files.
MiMail takes advantage of a three-month-old vulnerability in Microsoft Outlook Express. Ingevaldson said the worm is actually less aggressive than other worms because it seeks e-mail addresses from files on the hard drive rather than from the Outlook address book.
Still, the bogus e-mail, which purports to be a message from the system administrator by spoofing the domain name of the receiver’s company or ISP, continues a trend of malware masquerading as an official document.
“Every single one lately has [had] some sort of spoof or fake for some sort of authority,” Ingevaldson said.
The MiMail message requests users to read an attachment to find out about the expiration of their e-mail account, which should raise flags because most accounts do not expire.
Still, the attachment – “Message.zip” – contains an HTML file, which users typically assume is safe, according to Ingevaldson.
“For the most part, [opening an HTML file] is seen as okay,” he said. “But it’s embedded with an executable within the HTML file.”
It is likely the worm was originally launched using bulk e-mail, or spam, software, which contributed to a quick start for MiMail, according to Message Labs chief information analyst Paul Wood.
Wood told TechNewsWorld that the combination of viruses, trojans and spamming software marks a trend over the last month.
“There’s the potential we could see more and more of that happening – virus, trojan and spam all coming together,” he said.
Weakness with Worm
For his part, Ingevaldson said MiMail marks another instance of a trend toward coupling virus and vulnerability, whereby virus writers use exploitable weaknesses to spread worms.
“It’s a trend we’ve seen building for a couple of years,” he said. “The virus writers are turning into hackers and using exploits to propagate their worms.”
Although a patch was made available in late April for the Outlook Express vulnerability that is exploited by MiMail, the usual reluctance to apply patches left systems at risk.
“As always, it’s important to have users learn their software is connected to the Internet,” Ingevaldson said. “Their software and e-mail and Internet Explorer are all vulnerable, all exposed. They should be accustomed to using Windows Update. Don’t ignore it — install it. It’s going to protect you from a lot.”