Fact Check

Mimail Virus

Information about the 'Mimail' worm.

Published Aug. 2, 2003

Claim:

Virus name:   Mimail   (message.zip)


Status:   Real.

Example:   [Collected on the Internet, 2003]




From: admin@yahoo.com
Subject: your account

Hello there,

I would like to inform you about important information regarding your
email address. This email address will be expiring.
Please read attachment for details.

---
Best regards, Administrator
auaaaoia



Origins:   Mimail, a self-replicating worm, hit the Internet in August 2003. It replicates by sending a message purporting to come from an administrative account at the recipient's e-mail domain (i.e., if the recipient's e-mail address is <user@snopes.com>, the return address on the Mimail-infected message will be <admin@snopes.com>) which warns the reader that his "email address will be expiring" and that he needs to "read [the] attachment for details." The attachment is an archive file named Message.zip (because ZIP attachments are not screened out by some mail filters) which contains the file Message.htm. The Message.htm file exploits a flaw in Microsoft Outlook Express to create and execute a worm (using the filename Foo.exe) which replicates itself by sending out more e-mail from the infected system.

The Mimail worm does not appear to cause any damage to the systems it infects (other than using them as bases from which to spread itself). Microsoft has released a patch for Outlook Express which closes the security hole exploited by Mimail. Symantec has also issued a removal tool to clean Mimail-infected systems.

Additional Information:





Information on Mass Mailer Worm W32/Mimail@MM Information on Mass Mailer Worm W32/Mimail@MM (Microsoft)
W32.Mimail.A@mm W32.Mimail.A@mm (Symantec)

Last updated:   28 January 2008


David Mikkelson founded the site now known as snopes.com back in 1994.