Date: Mon, 4 Aug 2003 15:45:42 -0400 (EDT) From: BCPL.NET SysAdmin To: BCPL.NET News Subject: BCPL.NET NEWS: Virus Alert: Mimail Worm ------------------------ VIRUS ALERT: MIMAIL WORM ------------------------ Many of you have reported receiving e-mail from "admin@bcpl.net" stating that your e-mail address is about to expire, and instructing you to read the accompanying file attachment for details. The e-mail in question is not official BCPL.NET e-mail. There is no such address as "admin@bcpl.net". Official e-mail from the BCPL.NET administrator always comes from "ispadmin@bcpl.net", not "admin@bcpl.net", and it never includes file attachments. The bogus "admin@bcpl.net" messages are being sent by PCs infected with a virus called the Mimail Worm. Mimail was first detected on the Internet on August 1, 2003, and is spreading rapidly. The Mimail Worm infects Windows PCs. It does not infect Macintosh OS or UNIX computers. How The Mimail Worm Spreads ---------------------------- Mimail is spread in the form of an e-mail file attachment that installs the worm if the attachment is opened. When a PC becomes infected, Mimail compiles a list of target e-mail addresses from addresses found in the address book, in saved e-mail, and in other files on the infected computer. It then mails infected file attachments to all those addresses. It does this each time the infected PC boots up and connects to the Internet. The e-mail carrying the infected file attachment is always in the following format: Subject: "your account", followed by either your BCPL.NET username or gibberish. From Address: admin@ If you are a BCPL.NET customer your domain is bcpl.net, so you will probably see "admin@bcpl.net" on the "From:" line. Message Text: Hello there, I would like to inform you about important information regarding your email address. This email address will be expiring. Please read attachment for details. --- Best regards, Administrator File Attachment: The name of the infected file attachment is always "Message.zip". If you receive e-mail matching the above description, delete it. Do not open the file attachment. The Mimail Worm infection is not carried by e-mail intentionally sent by the owner of the infected PC. Mimail sends out its infected e-mail without the knowledge of the PC's owner, using mailer routines built into the worm. How Mimail Infects A PC ----------------------- The primary cause of infection is opening an infected file attachment received via e-mail. o If the recipient of a Mimail-infected e-mail intentionally opens the file attachment, his/her PC will become infected. o Even if the recipient does not intentionally open the attachment, Mimail is able to exploit bugs in all versions of Internet Explorer and Outlook Express that allows the infected file attachment to open automatically. Microsoft has provided patches. See http://support.microsoft.com/default.aspx?scid=kb;en-us;330994 for more information. What Mimail Does To The Infected PC ----------------------------------- Mimail runs automatically every time the infected PC starts up. It does four things while it is running:: o It sends infected e-mail to all addresses found on the infected PC, as described above. o It watches for certain types of information to appear in windows on the infected PC, and e-mails that information to seceral e-mail addresses. It is assumed that those e-mail addresses are associated with the creators of the Mimail Worm. How To Protect Your PC From Mimail Worm Infection ------------------------------------------------- o If you have anti-virus software on your PC, *and* if it is configured to scan incoming e-mail for viruses, *and* if its virus description database is up to date enough to know about Mimail, then it will stop Mimail before it can infect your PC. However the virus description database must be *very* new. The Mimail Worm was discovered and described by the major anti-virus software vendors on August 1, 2003, so a virus description database older than that will not enable your anti-virus software to detect and stop Mimail. We recommend that you update your virus description database at least once a week, although given the rate at which new PC viruses appear once a day would be even better. If you do not keep your virus description database up to date, then your anti-virus software is virtually useless. o If you use Microsoft Internet Explorer and Outlook or Outlook Express, apply the patches mentioned above to prevent the file attachment that carries the Mimail Worm from automatically infecting your PC. o In the final analysis you are your own best defence against virus infection. All it takes is a bit of common sense. If you receive a message containing a file attachment DO NOT open the attachment unless ALL of the following are true: - The sender is known to you. - You are expecting a file attachment from that person. - The sender clearly identifies the nature of the file attachment in the text of the message. If any one of those three statements is not true, delete the message. DO NOT open the file attachment. How To Remove the Mimail Worm From An Infected PC ------------------------------------------------- If your PC becomes infected by Mimail, and if you have anti-virus software on the PC, then your virus definition database must be too old to detect Mimail or your anti-virus software would not have allowed the worm to infect your PC in the first place. Update your virus definitions database, then use the anti-virus software to scan your hard drive. If you do not have anti-virus software, or if you have trouble with the software vendor's instructions for dealing with a Mimail-infected PC, or if you just want a quick fix, we recommend that you download and run the "Stinger" utility provided free of charge by McAfee. You will find it on the McAfee web site at: http://vil.nai.com/vil/stinger/ Stinger will remove Mimail and several other recent worms and virus. Please follow the instructions on the Stinger web page very carefully! More Information About The Mimail Worm: -------------------------------------- The following URLs will take you to detailed information about Mimail on several well-known anti-virus Web sites: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100523 http://www.symantec.com/avcenter/venc/data/w32.mimail.a@mm.html http://www.F-Secure.com/v-descs/mimail.shtml http://www.sophos.com/virusinfo/analyses/w32mimaila.html http://www.bitdefender.com/bd/site/virusinfo.php?menu_id=1&v_id=146 http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL.A -- BCPL.NET INTERNET SERVICES 320 York Road Towson, MD 21204-5179 U.S.A. Who to contact about what @BCPL.NET: see http://www.bcpl.net/contacts/