Mimail:
Worm with "Zip" Spreads Fast

August 1, 2003

About the Virus

Mimail (technically known as W32/Mimail@MM) is a mass-mailer worm breaking so fast that, as of this writing, the anti-virus vendors have not finished analyzing it. Mimail spreads with a ZIP file attachment, an unusual attachment type for a worm. Most worms contain executable attachments that run malicious code as soon as you double-click them. However, when you double-click a ZIP file, another application (usually WinZip) shows the contents of the ZIP file and allows you to extract them. You'd have to double-click a second time on something within the ZIP file for it to run. Regardless of this extra user interaction Mimail apparently requires in order to spread, the worm is still zipping around the Internet quicker than most.

Distinguishing Characteristics

As of this writing, anti-virus vendors are still researching the details of this worm. However, enough is known to help you successfully block this worm from your network. The worm is easy to recognize, since it apparently uses only one format:

From: Admin@domain.com

Subject: your account %n%

Attachment: "message.zip"

Body:

Hello there, I would like to inform you about important information regarding your email address.
This email address will be expiring. Please read attachment for details.

Best regards,
Administrator

In the From: field, domain.com is your domain name. For instance, if your company is Widgets Inc., the email would appear to come from  Admin@widgets.com. In the Subject field, %n% represents a random character string; for instance, "aaicbbac."

If a victim double-clicks the attached message.zip file, he will find it contains an .HTM or Web-page file. The victim then must double-click again (on the .HTM file) in order for it to open in Internet Explorer (IE). Unfortunately, this .HTM file exploits a known vulnerability in IE that allows attackers to automatically store and execute malicious code on your computer. In other words, if the victim opens the .HTM file in any version of IE, the virus automatically executes.

When a victim opens the .HTM file, IE automatically saves a file called foo.exe into a temporary IE folder and executes the file. When run, foo.exe creates three new files, videodrv.exe, exe.tmp, and zip.tmp in the default Windows directory. The worm also adds registry entries to ensure that it can reload whenever you reboot your computer. Finally, the worm searches your computer for email addresses and uses its own SMTP engine to send itself to every address it finds.

So far the anti-virus vendors have not found any malicious payload within Mimail. However, they are still analyzing the worm and new details may become available later. If significant new details emerge, we will update you in another alert.

What you can do

Most major anti-virus vendors already have signatures that detect Mimail. Check with your vendor for their latest update. 

Warn your users, once again, not to open suspicious e-mail attachments. In this case, advise your users to delete any e-mail from the sender "Admin." Mimail always contains the attachment, message.zip, which should tip off a cautious user. Advise users that even an attachment from a known party should not be opened if it arrives unexpectedly or is not relevant to any recent conversation.

References:

McAfee description of Mimail

Symantec description of Mimail

TrendMicro description of Mimail

Credits: Researched and written by Corey Nachreiner