Internet users around the globe are still being duped by a tricky new malicious program that claims recipients’ e-mail accounts “will be expiring.” The so-called “MiMail” virus seemed to get a second life on Monday as workers got to the office, antivirus firms said. But there is hope that the virus, which may be an attempt to harvest e-mail addresses, will run out of gas soon.
“I WOULD LIKE to inform you about important information regarding your email address. This e-mail address will be expiring. Please read attachment for details,” claims the e-mail. It is particularly believable because it appears to come from the local network’s system administrator. Copies received by MSNBC.com, for example, came from “firstname.lastname@example.org.”
The menacing message has apparently duped many Internet users into opening the attached file, Message.zip. Antivirus firm MessageLabs Corp. has so far trapped 60,000 copies of the worm. After slowing considerably during the weekend, another 20,000 copies hit MessageLabs filters on Monday morning, the company said — causing the company to keep MiMail rated as a “high” risk.
Network Associates spokesman Vincent Gullotto said the virus may have gotten its initial kick-start because it was initially sent out in a spam mailing.
But Vincent Weafer, senior research director for Symantec Corp., said he was optimistic the virus outbreak would fade away quickly after this Monday-morning flare-up.
“We’re seeing it stabilize now,” Weafer said. “We’re certainly not seeing it take a dramatic turn up.”
Spam-initiated computer viruses often end up as “one-shot deals,” he said. On Monday, Symantec’s risk rating on the worm remained a “3” on a scale of 1 to 5.
It’s possible the virus is attempting to gather e-mail addresses for a later spam attack. If a recipient clicks on the attached file, the virus inserts a small program on the victim’s machines that scans all files to compile a list of e-mail addresses, according to Network Associates Inc. These are then stored in a file called “eml.tmp” on the victim’s computer, perhaps for later retrieval.
But Weafer said MiMail was more likely a “proof-of-concept” worm designed to test this method of e-mail harvesting.
“I think this was a training run,” he said. “We’re seeing someone in the middle of developing (the idea). We will see further ones.”
MiMail spread quickly on Friday. Trend Micro said about it had cataloged about 1,000 infections from U.S. customers in just the first few hours on Friday, including some Fortune 100 customers by Friday afternoon.
“That’s pretty good for the opening hours of the game,” said David Perry, Trend Micro spokesman.
E-mail lists devoted to computer security were abuzz with reports of the virus.
The virus even got the attention of Microsoft Corp., which issued an alert about the worm on its security Web site. The alert said the threat from the worm was “moderate.”