- 2 August 2003 17:39
Can you trust your administrator, asks Sophos?
Sophos, a global leader in computer anti-virus protection for businesses, is urging Australian and New Zealand system administrators to take action against W32/Mimail-A, a new mass-mailing worm which has hit hard in the United States.
"W32/Mimail-A arrives in an email claiming to be from your administrator," says Paul Ducklin, Sophos's Sydney-based Head of Technology, Asia Pacific. "It suggests that your email account will expire soon and urges you to read the attached information. The attachment, called 'message.zip', isn't a message at all – it's a copy of the worm, which scours your hard disk looking for email addresses for its next round of victims."
Ducklin says that W32/Mimail-A uses a simple but effective trick to disguise the fact that it is a program. The attachment containing the worm is an innocent-looking ZIP archive named 'message.zip', meaning that it cannot directly be executed. Users who unzip the file find another innocent-looking HTML file inside, named 'message.html'. Once again, this file cannot directly be executed. But it contains an embedded EXE file which is automatically extracted when the HTML is opened – and unpatched versions of Outlook will launch this extracted program without the user even being aware of its existence.
"By Monday morning, many Australian and New Zealand business users will have copies of this worm waiting in their mailboxes," warns Ducklin. "Administrators who have automatic, proactive security measures in place will be in a much safer situation than those who don't – and they are unlikely to have to spend Sunday in the office, either."
Sophos advises the following precautions for administrators:
-- Ensure your anti-virus software is up-to-date, both at the gateway and the desktop. Prevention is always better than cure.
-- Consider setting up an unattended, automatic anti-virus updating system such as Sophos Enterprise Manager.
-- If you have a gateway product such as Sophos MailMonitor for SMTP, consider blocking emails with subject lines starting "your account". W32/Mimail-A always uses this text.
-- If you use Microsoft products for mail and web access, make sure you have the latest security updates. Microsoft issued a patch more than three months ago to protect against the HTML exploit used by this worm.
-- Never use attachments to disseminate information when plain text would be sufficient. This will make your users more cautious when they receive emails such as the ones generated by W32/Mimail-A.
FOR FURTHER INFORMATION
Paul Ducklin (email@example.com) is available for comment: +61 407 320 515 (mobile) +61 2 9409 9100 (tel) +61 2 9409 9191 (fax)
Sophos's press contact at Gotley Nix Evans is: Michael Henderson (firstname.lastname@example.org) +61 2 9957 5555 (tel) +61 413 054 738 (mobile) +61 2 9957 5575 (fax)