Your E-mail Address Is Not Expiring
Mimail is the name of a new e-mail based worm which debuted late last week. The message purports to be from "firstname.lastname@example.org" where yourdomain.com is the domain portion of your e-mail address. No, we did not send this message. No, your e-mail address is not expiring (as the message proclaims). And yes, you should never open an attachment, even it looks like it's from your Internet Service Provider.
The trick to Mimail is that the virus writer took steps to prevent the virus from spreading automatically. In fact, we were going to call this article "Reverse Engineering Social Engineering" but decided to go with something a little less witty and more to the point in the hopes of stemming off a flood of messages and inquiries from customers who received a virus purporting to be from email@example.com.
Anyway, as many people know, some files store information; others do things (that's a technical definition). It's only the latter type (called "executables") which can take the necessary actions to deliver a viral payload. Consequently, many Internet Service Providers (ISPs) block executables outright.*
Unfortunately, some file types, such as Microsoft Word documents, can both store information and be executed. Many ISPs block such files as well. If customers need to send or receive such files, the ISP usually instructs the user to "zip" the file up.
Zipping a file has two advantages. First, it compresses the file into a smaller package which takes less time to download. Second, the contents of a zip file cannot be executed without user intervention, preventing a virus from spreading without the user taking some action.
This is where Mimail shows a creative spark. The virus has been zipped up, which means it can get through many ISPs' servers. Also, because many users have been trained by their ISPs to send and receive zip files, many users perceive the message as benign.
Add to it that Mimail purports to be from the ISP's administrator account itself, and you have the one of the fastest spreading worms in recent history. As our homepage statistics show, Mimail already accounts for 10% of the virus infected messages caught by our servers.
Unfortunately, we use the account firstname.lastname@example.org almost everywhere (this is going to be a long day for us). So, you can't simply disregard messages from this address. You can be sure, however, that we will not send you a message with an attachment without first communicating the reason to you.
You can also take heed of the subject line, which begins "your account...." We'll avoid using that subject line for some time to come (like, forever).
Finally, the best defense against viruses (besides common sense) is a local virus scanner. With that in mind, please take a moment to update your virus scanning software...and be grateful you don't run an ISP today.* Please note that c4.net does not block any attachments as such defense mechanisms are too simplistic to be useful. Instead, we offer a free service which scans every single message destined to your account for viruses.