W32/Mimail-A

Kategorie: Viren und Spyware Schutz verfügbar seit:01 Aug 2003 00:00:00 (GMT)
Typ: Win32 worm Zuletzt aktualisiert:01 Aug 2003 00:00:00 (GMT)
Verbreitung:

Download Kostenloses Virus Removal Tool downloaden – Finden Sie Bedrohungen, die Ihre Virenschutzsoftware übersehen hat

W32/Mimail-A is a worm that arrives with the following characteristics:

Subject line: your account <random letters>
Message text:
Hello there, I would like to inform you about important information
regarding your email address. This email address will be expiring.
Please read attachment for details.
---
Best regards, Administrator
Attached file: message.zip

W32/Mimail-A spoofs the From field of the sent emails using the email address admin@<your domain>.

Inside the message.zip compressed file, is another file called message.html. If this file is opened, the worm will copy itself to

C:\<Windows>\exe.tmp
and
C:\<Windows>\videodrv.exe

The worm exploits a known security vulnerability. A patch has been available from Microsoft for some months which reportedly fixes the vulnerability.

The worm looks for email addresses in files on the local drive. It attempts to exclude the following extensions from its search:

  • AVI

  • BMP

  • CAB

  • COM

  • DLL

  • EXE

  • GIF

  • JPG

  • MP3

  • MPG

  • OCX

  • PDF

  • PSD

  • RAR

  • TIF

  • VXD

  • WAV

  • ZIP

It places the email addresses it finds in the file C:\<Windows>\eml.tmp W32/Mimail-A is a worm that arrives with the following characteristics:

Subject line: your account <random letters>
Message text:
Hello there, I would like to inform you about important information
regarding your email address. This email address will be expiring.
Please read attachment for details.
---
Best regards, Administrator
Attached file: message.zip

W32/Mimail-A spoofs the From field of the sent emails using the email address admin@<your domain>.

Inside the message.zip compressed file, is another file called message.html. If this file is opened, the worm will copy itself to

C:\<Windows>\exe.tmp
and
C:\<Windows>\videodrv.exe

The worm exploits a known security vulnerability. A patch has been available from Microsoft for some months which reportedly fixes the vulnerability.

W32/Mimail-A adds the following entry to the registry to run itself on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\VideoDriver
=C:\<Windows>\videodrv.exe

The worm looks for email addresses in files on the local drive. It attempts to exclude the following extensions from its search:

  • AVI

  • BMP

  • CAB

  • COM

  • DLL

  • EXE

  • GIF

  • JPG

  • MP3

  • MPG

  • OCX

  • PDF

  • PSD

  • RAR

  • TIF

  • VXD

  • WAV

  • ZIP

It places the email addresses it finds in the file C:\<Windows>\eml.tmp

Download Sophos Produkte kostenlos testen
Jetzt downloaden

© 1997 - 2012 Sophos Ltd. Alle Rechte vorbehalten. Rechtliche Hinweise Datenschutzrichtlinie Impressum