Press Releases

Browse our press release archive

04 Aug 2003

UK firms waking up to Mimail attack; worm infections reaching new peak, says Sophos Anti-Virus

W32/Mimail-A attaches a file called message.zipSophos is urging UK firms to take immediate action against the new Mimail worm (W32/Mimail-A), a mass-mailing virus which first struck in the United States on Friday 1 August. Sophos has received many reports of Mimail infections and anticipates the worm could be one of the biggest of 2003.

Sophos's UK customer support team has seen a heavy increase in the number of reported infections since UK businesses reopened on Monday 4 August. This suggests that employees have come to work on Monday morning, opened the offending email - which claims to be from their IT department - causing it to propagate to all their email contacts.

"The Mimail worm is getting a second lease of life as UK businesses log on to start a new working week," said Graham Cluley, senior technology consultant, Sophos Anti-Virus. "While US firms have been patching their systems against this threat, their UK counterparts have been enjoying a sunny weekend, blissfully unaware that a virus is sitting on their email system just waiting to be unleashed. Businesses need to seriously consider switching to automatic anti-virus updates which can be pushed out proactively as soon as a new virus hits."

The Mimail worm arrives in an email claiming to be from the network administrator. Cunningly, it can even spoof the domain name of the business's email address. For instance, if the recipient's email address is John.Smith@ABCLimited.com the email would appear to come from admin@ABCLimited.com.

The message suggests that the recipient's email account will soon expire and urges them to read the attached information. The attachment, called 'message.zip', contains an HTML file which is not a message at all - it is a copy of the worm, which scours the user's hard disk looking for email addresses for its next round of victims.

"Mimail's author has gone to great lengths to disguise his code as a legitimate email," continued Cluley. "However Mimail's text does leave a vital clue that it is a rogue email - business email accounts don't usually expire in this way. Users need to think carefully before they launch any attachment, even if it does appear to come from a bona fide email address."

The Mimail worm works by exploiting an old vulnerability in the Microsoft operating system. A patch against this vulnerability has been available to download for months. Once the patch is applied, networks will be immune from infection from Mimail.

About Sophos

More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing complete security solutions that are simple to deploy, manage, and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, mobile and network security solutions backed by SophosLabs - a global network of threat intelligence centers.

Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.