A British spam-fighting group has been hit by a new and rather venal variant of the Mimail worm: disguising itself as an e-mail from a woman detailing an erotic encounter, and sending a followup threat to send child porn to the affected computer's user.
According to Wired, if the original attachment is opened, the new Mimail variant sends a followup e-mail to the infected user which says an order for a child porn CD will be sent to their postal address, adding that the way to stop that delivery is to respond to what looks like an e-mail for billing complaints but is really an e-mail for one of eight targeted anti-spam groups, including Spamhaus Project.
Adult Sites Against Child Pornography executive director Joan Irvine was surprised to learn this Mimail variant used the child porn wedge as part of a virus or worm attack – but, at first, the group didn't make the association of a virus or a worm.
"ASACP has heard from people who received these e-mails," she told AVN.com. "They were concerned that someone was trying to set them up as targets for the FBI or other law enforcement agencies. Others are just in shock that someone could be sending them child pornography as they are so against this horrific crime against children. When ASACP checked out the e-mails all we could determine is that the claims were bogus. We never thought about it being a virus, as this is not our focus."
Spamhaus founder Steve Linford told Wired that the Mimail attack that hit them Dec. 1 was the third Mimail variant but trying to do much more than the earlier two had done. "So many Internet users are flooding us with complaints about these child-porn CDs that we supposedly ordered for them," he told the magazine, adding that he was cooperating with police.
Antivirus/spam filter company Sophos told the magazine Mimail-L, as the new variant is being called, arrives attached to an e-mail purporting to be from a woman named Wendy, describing a sexual encounter in detail and offering the nude images. Opening the attachment activates the virus to forward itself to other e-mail users and turn the affected computer into a zombie that can be told by remote to attack selected targets "with a disabling blizzard of data."
And then comes the followup with the child porn threat.
Linford told Wired he thinks Mimail is the work of one of three organized spam gangs that traffic in stolen credit cards and have hit him with distributed denial-of-service in the past. "These guys write Trojan (viruses), they carry out DDOS attacks and they get their money through selling stolen credit cards and spamming," he told the magazine.
The good news so far is that this new Mimail seems to be a light outbreak compared to the epidemic of viruses that blanketed cyberspace last summer, Wired said. "We have had reports in the dozens, not in the hundreds," Sophos senior technology consultant Graham Cluley told the magazine. "But what this shows is that there is more evidence that virus writers and spammers are now colluding."
During the summer outbreak, various security analysts suggested some spammers had picked up virus writing techniques and tactics to muzzle their opponents. "They are angry with us," Linford said, "because we try to stop the spamming cycle.
Irvine said that if anyone inadvertently opens the e-mail with the new Mimail attachment and receives the followup e-mail about the child porn CD delivery, they should contact the National Center for Missing and Exploited Children immediately for their own protection.
