Mimail tops virus charts


8 Aug 2003

The latest global virus threat, the Mimail worm, has knocked Klez off the top spot by becoming the fastest spreading e-security threat.

E-mail filtering company MessageLabs has detected 143,709 copies of Mimail since it first appeared on 1 August, making it more prolific than Klez. The latter will not be beaten for longevity for some time however: MessageLabs has picked up over seven million copies of that worm since it emerged 18 months ago.

According to Trend Micro’s world virus tracking centre, a total of 21,485 computers have been infected by Mimail worldwide, over half of them in North America. In Europe the worst affected country is Germany with 2,494 cases of infection followed by Switzerland (1,786), Italy (833), France (371), Norway (349) and UK (312). No statistics are currently available for Ireland.

The rapid spread of Mimail has surprised some observers given its relatively unsophisticated construction. Mimail uses a ‘social engineering’ tactic in the form of a spoofed message from an IT administrator to trick recipients into opening an attachment, a ZIP file containing an HTML and a UPX-compressed Win32 EXE file. Once opened, the worm works by harvesting addresses found on the local system and sending itself to those addresses.

“Unlike other recent worms, Mimail relies on users to actually open an attachment before it is activated so you wouldn’t expect it to propagate as fast as some of the other worms with a more intelligent payload,” said Dave Bolger, technical director at e-security firm Entropy, who felt that the worm poses a fairly low risk to users.

To date, Mimail, like Klez, has presented a greater threat to home than corporate users, which tend to have better security precautions in place and are more likely to apply security patches.

Mimail exploits vulnerabilities in Internet Explorer and Microsoft Outlook Express, known as Object Tag code base exploit and MHTML exploit – weaknesses which allow a virus sender to execute any code and script on the infected machine.

Anti-virus vendors Trend Micro and Network Associates have both given the worm a ‘medium’ security risk rating.

By Brian Skelly