Any IT folks here? Re: w32.mimail worm

My company's getting hammered by this thing. Looks new, Symantec doesn't have a lot of info on it yet.

Any one else seeing this?

E-Mail has subject line: "your accounts" with a message.zip attachment.

We were informed by our Help Desk to delete them immediately.

BTW, I'm in the Pentagon.

Got any more info on it?

Laura

With multiple Regional Offices, and this thing spread like wildfire...

http://www.sarc.com/avcenter/venc/data/w32.mimail.a@mm.html

That's all we know so far...

A massive assault is underway in the hack community. Could be part of that. Basically there is a huge hole in MS Win platforms and the hacker community is going to try to pry it wide open before it gets plugged.

Products & Services Virus Information Store Support Downloads
Log In
Cart
My Account








Product Recommender


Virus Removal Tools


Virus Calendar


Virus Hoaxes


Virus Glossary


Regional Virus Info


Dispatch:
Virus Newsletters


Security News Network


Anti-Virus Tips


Online Guide for Parents





Related Links


VirusScan Online


VirusScan 7.0


Virus Profile


Virus Information
Name: W32/Mimail@MM

Risk Assessment

- Home Users: Medium

- Corporate Users: Medium

Date Discovered: 8/1/2003

Date Added: 8/1/2003

Origin: Unknown

Length: 16,815 bytes

Type: Virus

SubType: E-mail worm

DAT Required: 4282



Quick Links
Virus Characteristics
Indications of Infection
Method of Infection
Removal Instructions
Aliases



Buy or Update
New Users Get Protected Now:
Buy VirusScan Online

Update VirusScan Online





Virus Characteristics

The 4192 DAT files (or higher) and 4.1.60+ scan engine will detect this threat in some environments. The detected name is Exploit-Codebase.
This malware bears similarities to Downloader-DK in message construction, which was spammed several days ago. This threat may have also been spammed. It is received as an email attachment as follows.

From: Admin (ADMIN@your_doamin)
Subject: your account %user%
Importance: High
Hello there,

I would like to inform you about important information regarding your email address. This email address will be expiring. Please read attachment for details.

--- Best regards, Administrator

Attachment: message.zip

The attached .ZIP file contains a file named MESSAGE.HTM. This file uses the codebase exploit to automatically create the file foo.exe in the Temporary Internet Files folder and run it. The following files are created in the WINDOWS (%WinDir%) directory:

videodrv.exe (19,824 bytes)
exe.tmp (20,445 bytes)
zip.tmp (20,567 bytes)
The following registry run key is created to load the worm at startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "VideoDriver" = C:\WINNT\videodrv.exe
First, the virus checks to see if the system is connected to the Internet by trying to contact google.com. If this check succeeds, the virus attempts to harvest email addresses from the local system. The file extension of each file on the system is checked. If it does not match one of the following extensions, that file is parsed for email addresses:
avi
bmp
cab
com
dll
exe
gif
jpg
mp3
mpg
ocx
pdf
psd
rar
tif
vxd
wav
zip
Found addresses are stored in a file named eml.tmp in the WINDOWS directory.
An additional registry key is created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Code Store Database\Distribution Units\
{11111111-1111-1111-1111-111111111111}




Indications of Infection

Presence of the following files in the WINDOWS directory:
videodrv.exe
eml.tmp
exe.tmp
zip.tmp




Method of Infection

This mass-mailing worm was likely spammed to thousands of email addresses. When run, the worm harvest addresses found on the local system and sends itself to those addresses.
The mailing routing attempts to query the mail server for the domain related to the harvested address. Messages are sent through that SMTP server. The code also makes reference to the IP address 212.5.86.163 and may mail through list.ru.





Removal Instructions

All Users:
Use the 4282 DAT files for detection and removal.

Alternatively, the following EXTRA.DAT packages are available.
EXTRA.DAT
SUPER EXTRA.DAT

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

- Win9x/ME - Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
- WinNT/2K/XP - Terminate the process videodrv.exe
Delete the following files from your WINDOWS directory (typically c:\windows or c:\winnt)
videodrv.exe
eml.tmp
exe.tmp
zip.tmp
Edit the registry
Delete the "VideoDriver" value from
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
Delete the key "{11111111-1111-1111-1111-111111111111}" from
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units"
Reboot the system
Additional Windows ME/XP removal considerations




Aliases

Mimail (F-Secure), W32.Mimail.A@mm (Symantec), WORM_MIMAIL.A (Trend)



About McAfee Security Advertise With Us Affiliate Program Contact Us Investors Partners Press Privacy Store Locator

Quick-Buy Links: Deals of the Week >VirusScan Online VirusScan 7.0 Personal Firewall Plus SpamKiller

Sign up for Free Virus News:
Global Sites: NORTH AMERICA -- Canada (English) -- Canada (français) -- United States AFRICA -- South Africa AMÉRICA LATINA --Brazil --México ASIA PACIFIC -- Australia -- Japan EUROPE -- Deutschland -- España -- France -- Italia -- Nederland -- Scandinavia -- United Kingdom


McAfee is a business unit of Network Associates, Inc.
© 2003, Networks Associates Technology, Inc. All Rights Reserved.

Have comments about this page? Tell us what you think.

but our virus software killed it

oddly enough, the message told him that his email address will soon be changing, and we ARE changing them soon!

and most other attachment types on the mail servers I administer. Zips can contain malicious code, as this one does. This one's a real pain in the butt.

To paraphrase John Tuturro's character (Pete) in O, Brother Where Art Thou:

"DO...NOT...OPEN...the attachment..."

http://vil.nai.com/vil/content/v_100523.htm
They've already updated their DAT files for it (today); no doubt Norton has too by now.

http://www.infoworld.com/article/03/08/01/HNw32mail_1.html

This one spoofs the admin@yourdomain.com which is why so many users trust it, and it is spreading so quick.