August 1st, 2003, 22:16 PM
Worm masquerades as note from IT staff
A new mass-mailing virus, which disguises itself as a file sent by a computer user's network administrator, began infecting systems Friday.The worm, which is being dubbed "mimail," attempts to exploit a vulnerability in Internet Explorer that allows a script to be executed by an infected computer. The worm then tries to use that script to mass e-mail itself, potentially clogging mail servers or slowing down networks, according to antivirus-company Symantec.
The e-mail carrying the worm has "your account" in the subject line, according to Symantec, and the body reads, "Hello there, I would like to inform you about important information regarding your e-mail address. This e-mail address will be expiring. Please read attachment for details." It is then signed "Best regards, Administrator" and contains an attachment labeled "message.zip" which carries the malicious code.
In terms of its method, the mimail bug is somewhat similar to other mass-mailing worms, said Sharon Ruckman, a senior director at Symantec Security Response. What's trickier than usual, she said, is the way the e-mail carrying the worm tries to get people to open the attachment.
"The social engineering aspect (is) a lot more serious," Ruckman said. "You believe it was the administrator from your own domain, whether that is your company or your ISP."
Also of note, Ruckman said, is that the mass e-mailing code is contained in an HTML file, a type of file not normally associated with executing programs. Ruckman recommended that corporations either delete the attachments at the server level or block messages with the "your account" subject line.
View: Symantec Security Response
PS: i've deleted 3 of these emails so far today.