high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Protection available since | 28 September 2003 09:47:06 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please read the instructions for removing W32/Mimail-A.
More Information
W32/Mimail-A is a worm that arrives with the following characteristics:
Subject line: your account <random letters>
Message text:
Hello there, I would like to inform you about important information
regarding your email address. This email address will be expiring.
Please read attachment for details.
---
Best regards, Administrator
Attached file: message.zip
W32/Mimail-A spoofs the From field of the sent emails using the email address admin@<your domain>.
Inside the message.zip compressed file, is another file called message.html. If this file is opened, the worm will copy itself to
C:\<Windows>\exe.tmp
and
C:\<Windows>\videodrv.exe
The worm exploits a known security vulnerability. A patch has been available from Microsoft for some months which reportedly fixes the vulnerability.
The worm looks for email addresses in files on the local drive. It attempts to exclude the following extensions from its search:
- AVI
- BMP
- CAB
- COM
- DLL
- EXE
- GIF
- JPG
- MP3
- MPG
- OCX
- PSD
- RAR
- TIF
- VXD
- WAV
- ZIP
It places the email addresses it finds in the file C:\<Windows>\eml.tmp W32/Mimail-A is a worm that arrives with the following characteristics:
Subject line: your account <random letters>
Message text:
Hello there, I would like to inform you about important information
regarding your email address. This email address will be expiring.
Please read attachment for details.
---
Best regards, Administrator
Attached file: message.zip
W32/Mimail-A spoofs the From field of the sent emails using the email address admin@<your domain>.
Inside the message.zip compressed file, is another file called message.html. If this file is opened, the worm will copy itself to
C:\<Windows>\exe.tmp
and
C:\<Windows>\videodrv.exe
The worm exploits a known security vulnerability. A patch has been available from Microsoft for some months which reportedly fixes the vulnerability.
W32/Mimail-A adds the following entry to the registry to run itself on system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\VideoDriver
=C:\<Windows>\videodrv.exe
The worm looks for email addresses in files on the local drive. It attempts to exclude the following extensions from its search:
- AVI
- BMP
- CAB
- COM
- DLL
- EXE
- GIF
- JPG
- MP3
- MPG
- OCX
- PSD
- RAR
- TIF
- VXD
- WAV
- ZIP
It places the email addresses it finds in the file C:\<Windows>\eml.tmp
|
