Is your company protected against the Mimail worm?, asks Sophos Anti-Virus

August 02, 2003 Sophos Press Release

W32/Mimail-A attaches a file called message.zip

Sophos, a global leader in computer anti-virus protection for businesses, is urging system administrators to take action against W32/Mimail-A, a new mass-mailing worm which has hit hard in the United States.

"W32/Mimail-A arrives in an email claiming to be from your administrator," says Paul Ducklin, Sophos's Head of Technology, Asia Pacific. "It suggests that your email account will expire soon and urges you to read the attached information. The attachment, called 'message.zip', isn't a message at all - it's a copy of the worm, which scours your hard disk looking for email addresses for its next round of victims."

Ducklin says that W32/Mimail-A uses a simple but effective trick to disguise the fact that it is a program. The attachment containing the worm is an innocent-looking ZIP archive named 'message.zip', meaning that it cannot directly be executed. Users who unzip the file find another innocent-looking HTML file inside, named 'message.html'. Once again, this file cannot directly be executed. But it contains an embedded EXE file which is automatically extracted when the HTML is opened - and unpatched versions of Outlook will launch this extracted program without the user even being aware of its existence.

"By Monday morning, many business users will have copies of this worm waiting in their mailboxes," warns Ducklin. "Administrators who have automatic, proactive security measures in place will be in a much safer situation than those who don't - and they are unlikely to have to spend Sunday in the office, either."

Sophos offers the following advice to administrators:

  • Ensure your anti-virus software is up-to-date, both at the gateway and the desktop. Prevention is always better than cure.
  • Consider setting up an unattended, automatic anti-virus updating system such as Sophos Enterprise Manager.
  • If you have a gateway product such as Sophos MailMonitor for SMTP, consider blocking emails with subject lines starting "your account". W32/Mimail-A always uses this text.
  • If you use Microsoft products for mail and web access, make sure you have the latest security updates. Microsoft issued a patch months ago to protect against the HTML exploit used by this worm. Microsoft has also published step-by-step instructions for home users on how to help protect their computers with critical updates.
  • IT managers responsible for security should consider subscribing to vulnerability mailing lists such as that operated by Microsoft at www.microsoft.com/technet/security/bulletin/notify.asp. Other vendors offer similar services.
  • Never use attachments to disseminate information when plain text would be sufficient. This will make your users more cautious when they receive emails such as the ones generated by W32/Mimail-A.
Further reading: Safe computing advice from Sophos.