Security

Take note of critical Office 2003 update and MiMail worm

For the early adopters who have installed Microsoft Office 2003, there is an important update that you need to be aware of. Also, the MiMail worm is beginning to forge a destructive path. See how to cut it off at the pass.


Administrators need to take notice of the pesky new MiMail worm and an important update for Microsoft Office 2003 that fixes a flaw in the way some files are handled. Plus, as usual, there are notes on a number of other security issues at the end of this column.

Critical update for Office 2003
Microsoft Knowledge Base Article 828041 details what Microsoft rates as a critical update to the new Office 2003 suite. This relates to problems reported when users open or save PowerPoint 2003, Word 2003, or Excel 2003 files that contain an OfficeArt shape modified by users with an earlier version of Office.

Microsoft summarizes the problem like this: “When a PowerPoint 2003 file, a Word 2003 file, or an Excel 2003 file is opened in an earlier version of Office, empty 'complex' properties may be introduced into the file and a bit may be changed in the file record that describes these properties.”

Earlier releases of Office ignore the problem, but in Office 2003, Microsoft says any or all of the following can happen:
  • The document may not open completely.
  • The document may be corrupted.
  • The document may open but with missing content.
  • You might receive an error message.

MiMail worm
A dangerous new infection has raised its ugly head in the form of a number of variants of the MiMail worm. There are two main threats from MiMail to worry about. First, it's a mass-mailing worm that uses your system to host its own SMTP engine; second, different variants target various URLs in an attempt to flood them with junk messages and cause a denial of service event. In these litigious days, you need to be concerned whenever your systems are used to attack others.

The subject line for the early variants reads “don't be late!” followed by some random letters that should always be a strong clue that this isn’t a legitimate e-mail. The worm itself is contained in an attachment, readnow.zip, that contains readnow.doc.scr as the only payload.

Computer Associates calls this virus:
  • Win32.Mimail.G
  • Win32.Mimail.E
  • Win32.Mimail.C

Symantec has called it:
  • W32.Mimail.C@mm
  • W32.Mimail.D@mm
  • W32.Mimail.E@mm

Trend Micro names it:
  • WORM_MIMAIL.D
  • WORM_MIMAIL.C
  • WORM_MIMAIL.F
  • WORM_MIMAIL.E

Applicability
This worm affects all versions of Windows after 3.1.

Risk level—high
The threat level of the different versions varies, but this is generally a pretty dangerous and widespread attack.

Fix
Symantec has posted a free tool for removing MiMail variants A through E, which will:
  • End the W32.Mimail viral processes.
  • Remove the W32.Mimail files.
  • Delete dropped files.
  • Delete the worm’s registry values.

Check the Symantec site in the future to see if there is support for clearing out any later variants that are sure to come. You can also expect that other vendors have posted or will post their own removal tools and instructions.

End sum
Companies that have installed Microsoft Office 2003 on any of their workstations should plan to roll out the new critical update. As for the MiMail worm, if your users open e-mails with random strings of characters in the subject line, then obviously they're asking for trouble and will find it eventually. Make sure users are trained to spot obvious types of spam and mass-mailing messages.

Also watch out for…
  • A major new dial-up networking threat circulating through Europe and Australia is almost certain to hit the United States and Canada soon. This involves a malicious Web site and often a series of pop-up ads. When you click on one to close it, you're instantly disconnected from your dial-up connection, and your system immediately redials, but this time to an international number that may link you to a porno site or simply put you back on the Web. You're billed up to $160 per hour for the connection, and you'll probably not even know that anything has happened. There are reports of enormous telephone bills going to families in various parts of the world. This is such an easy and lucrative scheme that it’s likely to spread. Most corporate office users and others with broadband connections aren’t at risk, but mobile users are, as are any telecommuters who use dial-up. You may be able to have international access blocked from your dial-up line, which would be an excellent method for blocking this type of attack. Similarly, in Europe, the Zelig worm actually changes your default dial-up number to reroute your access to your regular ISP by way of Aruba. Microsoft is taking a long-overdue step in the cybersecurity wars by digging into its tightly clenched war chest of money and offering a $250,000 reward for information leading to the arrest of those responsible for the MSBlast worm, as well as a like reward for the creator of SoBig. This could have major implications in the war on malicious hackers, and it will probably earn Microsoft some goodwill from users and businesses.
  • Meanwhile, Hewlett-Packard is using virus technology to monitor its networks and shut down vulnerable machines before a real infection can cause serious damage. HP reports in a ComputerWeekly.com story that it successfully defended thousands of its networked machines against Blaster using this technique. There are multiple dangers in using this approach, but in a tightly controlled environment, this appears to be a potentially useful technique, although this is still at an early stage of development.
  • Microsoft has released a relatively minor revision to "Cumulative Patch for Internet Explorer" (MS03-040), which you might want to check out.



Editor's Picks