W32/Mimail-A

Category: Viruses and Spyware Protection available since:01 Aug 2003 00:00:00 (GMT)
Type: Win32 worm Last Updated:24 Sep 2014 21:17:07 (GMT)
Prevalence: Many Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Mimail-A is a worm that arrives with the following characteristics:

Subject line: your account <random letters>
Message text:
Hello there, I would like to inform you about important information
regarding your email address. This email address will be expiring.
Please read attachment for details.
---
Best regards, Administrator
Attached file: message.zip

W32/Mimail-A spoofs the From field of the sent emails using the email address admin@<your domain>.

Inside the message.zip compressed file, is another file called message.html. If this file is opened, the worm will copy itself to

C:\<Windows>\exe.tmp
and
C:\<Windows>\videodrv.exe

The worm exploits a known security vulnerability. A patch has been available from Microsoft for some months which reportedly fixes the vulnerability.

The worm looks for email addresses in files on the local drive. It attempts to exclude the following extensions from its search:

  • AVI

  • BMP

  • CAB

  • COM

  • DLL

  • EXE

  • GIF

  • JPG

  • MP3

  • MPG

  • OCX

  • PDF

  • PSD

  • RAR

  • TIF

  • VXD

  • WAV

  • ZIP

It places the email addresses it finds in the file C:\<Windows>\eml.tmp W32/Mimail-A is a worm that arrives with the following characteristics:

Subject line: your account <random letters>
Message text:
Hello there, I would like to inform you about important information
regarding your email address. This email address will be expiring.
Please read attachment for details.
---
Best regards, Administrator
Attached file: message.zip

W32/Mimail-A spoofs the From field of the sent emails using the email address admin@<your domain>.

Inside the message.zip compressed file, is another file called message.html. If this file is opened, the worm will copy itself to

C:\<Windows>\exe.tmp
and
C:\<Windows>\videodrv.exe

The worm exploits a known security vulnerability. A patch has been available from Microsoft for some months which reportedly fixes the vulnerability.

W32/Mimail-A adds the following entry to the registry to run itself on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\VideoDriver
=C:\<Windows>\videodrv.exe

The worm looks for email addresses in files on the local drive. It attempts to exclude the following extensions from its search:

  • AVI

  • BMP

  • CAB

  • COM

  • DLL

  • EXE

  • GIF

  • JPG

  • MP3

  • MPG

  • OCX

  • PDF

  • PSD

  • RAR

  • TIF

  • VXD

  • WAV

  • ZIP

It places the email addresses it finds in the file C:\<Windows>\eml.tmp

download Try Sophos products for free
Download now