Sophos, a global leader in computer anti-virus protection for
businesses, is urging system administrators to take action against
W32/Mimail-A, a
new mass-mailing worm which has hit hard in the United States.
"W32/Mimail-A arrives in an email claiming to be from your
administrator," says Paul Ducklin, Sophos's Head of Technology,
Asia Pacific. "It suggests that your email account will expire soon
and urges you to read the attached information. The attachment,
called 'message.zip', isn't a message at all - it's a copy of the
worm, which scours your hard disk looking for email addresses for
its next round of victims."
Ducklin says that W32/Mimail-A uses a simple but effective trick
to disguise the fact that it is a program. The attachment
containing the worm is an innocent-looking ZIP archive named
'message.zip', meaning that it cannot directly be executed. Users
who unzip the file find another innocent-looking HTML file inside,
named 'message.html'. Once again, this file cannot directly be
executed. But it contains an embedded EXE file which is
automatically extracted when the HTML is opened - and unpatched
versions of Outlook will launch this extracted program without the
user even being aware of its existence.
"By Monday morning, many business users will have copies of this
worm waiting in their mailboxes," warns Ducklin. "Administrators
who have automatic, proactive security measures in place will be in
a much safer situation than those who don't - and they are unlikely
to have to spend Sunday in the office, either."
Sophos offers the following advice to administrators:
- Ensure your anti-virus software is up-to-date, both at the
gateway and the desktop. Prevention is always better than
cure.
- Consider setting up an unattended, automatic anti-virus
updating system such as Sophos Enterprise
Manager.
- If you have a gateway product such as Sophos MailMonitor for SMTP, consider blocking
emails with subject lines starting "your account". W32/Mimail-A
always uses this text.
- If you use Microsoft products for mail and web access, make
sure you have the latest security updates. Microsoft issued a
patch months ago to protect against the
HTML exploit used by this worm. Microsoft has also published
step-by-step instructions for home users
on how to help protect their computers with critical updates.
- IT managers responsible for security should consider
subscribing to vulnerability mailing lists such as that operated by
Microsoft at www.microsoft.com/technet/security/bulletin/notify.asp.
Other vendors offer similar services.
- Never use attachments to disseminate information when plain
text would be sufficient. This will make your users more cautious
when they receive emails such as the ones generated by
W32/Mimail-A.
Further reading:
Safe computing
advice from Sophos.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.