CAN20031031a
Mimail.C Worm Spreading Quickly

Fake Photos Attachment Infects Systems With Worm, Overloads E-mail, Steals Information

Dates & Revisions

• Original CAN date: October 31, 2003
• Latest revision: October 31, 2003

Systems Affected

Problem Overview

A new worm known as Mimail.C has been discovered in heavy distribution on the Internet. The worm reproduces across the Internet via e-mail in a message with the subject "Re[2]: our private photos [random string of letters]" and has an attachment with the name "photos.zip." The ZIP file uses a code-based exploit of a Microsoft vulnerability reported in April 2003 to create and execute a file named "photos.jpg.exe" within the Temporary Internet Files folder. On computers which do not have the Microsoft April 2003 Cumulative Patch for Outlook Express installed, this .EXE file can be automatically created and executed, even if the user does not open the attachment.

Once executed, this worm attempts to gather e-mail addresses from the infected computer and reproduce itself by e-mailing those addresses directly using the Internet DNS subsystem. The worm also attempts to capture information from particular windows and e-mail that information to predetermined e-mail addresses.

While having information from your system is certainly a serious security breach, the more likely damage to your system will be caused by the loss of bandwidth caused by the worm's attempt to e-mail itself to other e-mail addresses which it finds on your computer.

If your computer contains a copy of Microsoft Outlook Express which has not been patched with the cumulative patch released in April 2003 (see below), then you are potentially capable of being infected by this worm. We urge all users to obtain and apply this patch directly from Microsoft.

Problem Details

For detailed technical descriptions of the problem, please review the following links:

• Symantec Security Response Overview
• Microsoft KnowledgeBase Article 330994 - Cumulative Patch for Outlook Express
• ComputerWorld article re: Mimail.C worm

Please note that the organizations controlling the content of the web sites referenced by these links may periodically update the information on their sites as new details about the severity of the threat become known.

What Should I Do?

You should immediately:

• review the bulletins listed above and
• delete any such e-mail which you receive without opening the attachment, and
• update your anti-virus software with the latest available signature files.
• Additionally, if your copy of Outlook Express has not been patched with the April 2003 Cumulative Patch (see the Microsoft article listed above), EITHER download and apply the Microsoft April 2003 Cumulative Patch for Outlook Express OR upgrade your Outlook Express software to the latest version and apply any available patches.

What If I Am Unable To Fix The Problem?

If you are unable to correct these problems yourself or are unsure how to proceed, contact Logical Operators by clicking here and arrange to have one of our service technicians check your system and apply the corrections for you (standard service fees will apply). In addition to correcting the problem(s) listed in this CAN, our technicians can also test your system for thousands of other known threats which may be present on your system, make valuable recommendations on securing your system from future threats, and perform numerous other computing services.