Some folks find flattery in imitation, but spam fighters are finding it in denial-of-service attacks. The attacks are being generated by a nasty but undistinguished virus called Mimail-L, which, as part of its mischief, is commandeering its victims’ computers to deluge with e-mail eight prominent antispam sites. The targeted sites include Spamhaus.org, SpamCop.net and SPEWS.org (Spam Prevention Early Warning System) as well as others, such as Disney’s Go Web site.
Although the author of the virus has yet to be corralled, spam fighters assert that if you dig deeply enough into Mimail’s dark history, you’ll find the clammy hand of a vindictive spammer behind the worm — a spammer who has been burned by the spam busters.
“It’s a pat on the back for a job well done as far as I’m concerned,” SpamCop founder Julian Haight said of the denial-of-service attacks generated by the malware. “It’s annoying, but at the end of the day it tells me I must be doing something right.”
According to information posted at the Web site of Sophos, a maker of antivirus and antispam software located in Abingdon, UK, Mimail-L is a worm that spreads using e-mail addresses harvested from the hard drive of an infected computer. The e-mails describe a sexual encounter with “Wendy” and entice the reader of the message to open an attachment containing explicit photos of the exploit.
Once the attachment is opened, the worm is free to poach e-mail addresses. If the infected computer won’t send out a message with an attachment, the worm will mail a message without one. That message informs recipients that their credit card will be charged US$22.95 on a weekly basis for a CD of kiddie porn. To cancel that subscription, recipients are advised to send their order and credit card information to the SpamHaus site.
The worm also attempts to turn an infected machine into a relay for sending thousands of spam messages to the eight antispamming sites.
The major difference between this latest version of Mimail and its predecessors is the “social engineering” aspect of it, Symantec senior director for security response Sharon Ruckman told TechNewsWorld. “‘We are going to bill your credit card’ is on the subject line,” she explained. “Even if that’s spam, it’s something most people will want to look at because that makes them nervous.”
On a scale of one to five, with five being the most harmful, she said the latest Mimail variant ranks as a Category 2 virus. “It’s a more serious threat than a Category 1 would be because it could spread quickly, but it’s not a serious enough threat that we’re actively notifying the public that they need to be aware of it,” she explained.
Craig Schmugar, a virus research engineer with McAfee Security, added that there wasn’t much that made this variant of the virus stand out from its predecessors. “This one contains some bugs, so the mailing routine isn’t as functional as some of the other variants, which is why it hasn’t spread as far as some of the other ones,” he told TechNewsWorld. “Within the Mimail family alone, this variant has been one of the less successful ones.”
“It’s become more and more clear that these viruses are professional jobs, and they’re done at the behest of spammers,” SpamCop’s Haight told TechNewsWorld. “The viruses are intended to break into systems and turn them to the spammer’s purpose. That can either be hitting us with a denial-of-service attack or actually sending out the spam.”
Schmugar, however, noted that Mimail-L doesn’t appear to be a professionally created virus. “There have been some press reports recently trying to make the connection between spamming and virus authors, but there are more clear ties in some other viruses than this one,” he asserted.
Haight’s antispam activity has made him the target of all sorts of Internet attacks. A couple of months ago, for instance, a mass mailing accused him of being an active operative of Al Qaeda. “It’s become old hat,” he said.