Mass Email Worms

Term mass-mailing worm describing general class of viruses , worms and other malware which use  email to spread . At minimum , infections by members of this class of malware are significant nuisance , especially when they generate high volumes of traffic that flood networks and overload mail relays . At worst these worms can disclose confidential information from systems they infect , with some mass-mailing worms going so far as to install keystroke loggers and backdoor services for collecting password and other sensitive information from infected system. Although they all use email to propagate ,some of these worms can also spread through other means , such as by scanning for unprotected windows shares on the infected computer’s local network .

On fig 1 you can see that NIMDA uses four methods to infect systems.


Targets of mass-mailing worms

Typical target of mass-mailing worms are  Windows systems . Most worms rely on an unsuspecting user to open an attachment containing the executable ( and infected) payload , although some worms have also exploited defects in widely used user agents like MS Outlook , to execute on target system without the user even needing to open any infective attachments . Malware authors have been so successful at exploiting these two vulnerabilities (gullible email users and defective email user agent software) – that the risk from email borne malware is now considered the most significant malicious code risk by most organizations. Because of the risks that mass-mailing worms create, many network administrators must invest heavily in virus scanning software on their mail servers to help prevent the spread of email-born malware, while users must suffer with the delays in delivery these scans can cause, and even with having legitimate attachments blocked as false positives.

The Melissa virus first was released in March 1999 , was the first mass-mailing worm of global consequence . Network administrators were not prepared to deal with this new kind of malware threat , and the virus’s rapid infection of millions of PC caused widespread disruption and economic damage.

Later mass-mailing worms such as SirCam and Klez have demonstrated increasingly more sophisticated and polymorphic behavior . and have proved capable of infecting new victims in large numbers , long after their initial appearance in the internet .


This type of threats can be avoided with combination of desktop anti-virus policy , mail filter software and user education , and renaming of attachments with extensions that cannot be executed . User education and awareness and using email user agent software wich does not suffer from any defects which allow malware to execure without cooperation from user , are also factors at the desktop.