Content

W32/Mimail@MM

Type
Virus
SubType
E-mail worm
Discovery Date
08/01/2003
Length
16,815 bytes
Minimum DAT
4282 (08/01/2003)
Updated DAT
4382 (07/28/2004)
Minimum Engine
5.1.00
Description Added
08/01/2003
Description Modified
01/12/2004 9:02 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

The 4192 DAT files (or higher) and 4.1.60+ scan engine will detect this threat in some environments. The detected name is Exploit-Codebase .

This malware bears similarities to Downloader-CY in message construction, which was spammed several days ago. This threat may have also been spammed. It is received as an email attachment as follows.

From: Admin (ADMIN@your_domain )
Subject: your account %user%
Importance: High

Hello there,

I would like to inform you about important information regarding your email address. This email address will be expiring. Please read attachment for details.

--- Best regards, Administrator

Attachment: message.zip

The attached .ZIP file contains a file named MESSAGE.HTM. This file uses the codebase exploit (MS02-015 ) and MHTML exploit (MS03-014 ) to automatically create the file foo.exe in the Temporary Internet Files folder and run it.

Note: The MS03-014 patch must be applied to prevent the automatic execution of the executable when accessing the MESSAGE.HTM file.

The following files are created in the WINDOWS (%WinDir%) directory:

  • videodrv.exe (19,824 bytes)
  • exe.tmp (20,445 bytes)
  • zip.tmp (20,567 bytes)
The following registry run key is created to load the worm at startup:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "VideoDriver" = C:\WINNT\videodrv.exe
First, the virus checks to see if the system is connected to the Internet by trying to contact google.com. If this check succeeds, the virus attempts to harvest email addresses from the local system. It grabs addresses from all files on the system, except files that have the following extensions:
  • avi
  • bmp
  • cab
  • com
  • dll
  • exe
  • gif
  • jpg
  • mp3
  • mpg
  • ocx
  • pdf
  • psd
  • rar
  • tif
  • vxd
  • wav
  • zip
Found addresses are stored in a file named eml.tmp in the WINDOWS directory.

An additional registry key is created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
    Code Store Database\Distribution Units\
    {11111111-1111-1111-1111-111111111111}

Symptoms

Presence of the following files in the WINDOWS directory:

  • videodrv.exe
  • eml.tmp
  • exe.tmp
  • zip.tmp

Method of Infection

This mass-mailing worm was likely spammed to thousands of email addresses. When run, the worm harvest addresses found on the local system and sends itself to those addresses.

The mailing routing attempts to query the mail server for the domain related to the harvested address. Messages are sent through that SMTP server. The code also makes reference to the IP address 212.5.86.163 and may mail through list.ru .

Removal

All Users:
Use the 4282 DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Microsoft Patches
Ensure that your system is not at risk from the exploited vulnerabilities:

Stand alone remover
Stinger has been updated to include detection/removal of this threat.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

  1. - Win9x/ME - Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
    - WinNT/2K/XP - Terminate the process videodrv.exe
  2. Delete the following files from your WINDOWS directory (typically c:\windows or c:\winnt)
    • videodrv.exe
    • eml.tmp
    • exe.tmp
    • zip.tmp
  3. Edit the registry
    • Delete the "VideoDriver" value from
      1. "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
        CurrentVersion\Run"
      2. "HKEY_CURRENT_USER\Software\Microsoft\Windows\
        CurrentVersion\Run"
    • Delete the key "{11111111-1111-1111-1111-111111111111}" from
      1. "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units"
  4. Reboot the system
Threatscan users
The latest ThreatScan signature (2003-08-01) includes detection of the W32/Mimail@MM virus.This signature is available for ThreatScan v2.0, v2.1, and v2.5.

To update your ThreatScan installations with the latest signatures perform the following tasks:

  1. From within ePO open the “Policies” tab.
  2. Select “McAfee ThreatScan” and then select “Scan Options”
  3. In the pane below click the “Launch AutoUpdater” button.
  4. Using the default settings proceed through the dialogs that appear. Upon successful completion of the update a message will appear stating that; update 2003-08-01 has completed successfully.
  5. From within ePO create a new “AutoUpdate on Agent(s)” task.
  6. Go into the settings for this task and ensure that the host field is set to ftp.nai.com , the path is set to /pub/security/tsc20/updates/winnt/ and that the user and password fields are both set to ftp .Note that “tsc20” in the above path is used for ThreatScan 2.0 and 2.1.The correct path for ThreatScan 2.5 is “tsc25”.
  7. Launch this task against all agent machines.
  8. When the task(s) complete information will be available in the “Task Status Details” report.

To create and execute a new task with the new Hot Fix functionality do the following:

  1. Create a new ThreatScan task.
  2. Edit the settings of this task.
  3. Edit the “Task option”, “Host IP Range” to include all desired machines to scan.
  4. Select the “Remote Infection Detection” category and “Windows Virus Checks” template.
    -or-
     Select the “Other” category and “Scan All Vulnerabilities” template.
  5. Launch the scan.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • Mimail (F-Secure)
  • W32.Mimail.A@mm (Symantec)
  • W32/Mimail.a@MM
  • WORM_MIMAIL.A (Trend)

Characteristics

Characteristics -

The 4192 DAT files (or higher) and 4.1.60+ scan engine will detect this threat in some environments. The detected name is Exploit-Codebase .

This malware bears similarities to Downloader-CY in message construction, which was spammed several days ago. This threat may have also been spammed. It is received as an email attachment as follows.

From: Admin (ADMIN@your_domain )
Subject: your account %user%
Importance: High

Hello there,

I would like to inform you about important information regarding your email address. This email address will be expiring. Please read attachment for details.

--- Best regards, Administrator

Attachment: message.zip

The attached .ZIP file contains a file named MESSAGE.HTM. This file uses the codebase exploit (MS02-015 ) and MHTML exploit (MS03-014 ) to automatically create the file foo.exe in the Temporary Internet Files folder and run it.

Note: The MS03-014 patch must be applied to prevent the automatic execution of the executable when accessing the MESSAGE.HTM file.

The following files are created in the WINDOWS (%WinDir%) directory:

  • videodrv.exe (19,824 bytes)
  • exe.tmp (20,445 bytes)
  • zip.tmp (20,567 bytes)
The following registry run key is created to load the worm at startup:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "VideoDriver" = C:\WINNT\videodrv.exe
First, the virus checks to see if the system is connected to the Internet by trying to contact google.com. If this check succeeds, the virus attempts to harvest email addresses from the local system. It grabs addresses from all files on the system, except files that have the following extensions:
  • avi
  • bmp
  • cab
  • com
  • dll
  • exe
  • gif
  • jpg
  • mp3
  • mpg
  • ocx
  • pdf
  • psd
  • rar
  • tif
  • vxd
  • wav
  • zip
Found addresses are stored in a file named eml.tmp in the WINDOWS directory.

An additional registry key is created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
    Code Store Database\Distribution Units\
    {11111111-1111-1111-1111-111111111111}

Symptoms

Symptoms -

Presence of the following files in the WINDOWS directory:

  • videodrv.exe
  • eml.tmp
  • exe.tmp
  • zip.tmp

Method of Infection

Method of Infection -

This mass-mailing worm was likely spammed to thousands of email addresses. When run, the worm harvest addresses found on the local system and sends itself to those addresses.

The mailing routing attempts to query the mail server for the domain related to the harvested address. Messages are sent through that SMTP server. The code also makes reference to the IP address 212.5.86.163 and may mail through list.ru .

Removal -

Removal -

All Users:
Use the 4282 DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Microsoft Patches
Ensure that your system is not at risk from the exploited vulnerabilities:

Stand alone remover
Stinger has been updated to include detection/removal of this threat.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

  1. - Win9x/ME - Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
    - WinNT/2K/XP - Terminate the process videodrv.exe
  2. Delete the following files from your WINDOWS directory (typically c:\windows or c:\winnt)
    • videodrv.exe
    • eml.tmp
    • exe.tmp
    • zip.tmp
  3. Edit the registry
    • Delete the "VideoDriver" value from
      1. "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
        CurrentVersion\Run"
      2. "HKEY_CURRENT_USER\Software\Microsoft\Windows\
        CurrentVersion\Run"
    • Delete the key "{11111111-1111-1111-1111-111111111111}" from
      1. "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units"
  4. Reboot the system
Threatscan users
The latest ThreatScan signature (2003-08-01) includes detection of the W32/Mimail@MM virus.This signature is available for ThreatScan v2.0, v2.1, and v2.5.

To update your ThreatScan installations with the latest signatures perform the following tasks:

  1. From within ePO open the “Policies” tab.
  2. Select “McAfee ThreatScan” and then select “Scan Options”
  3. In the pane below click the “Launch AutoUpdater” button.
  4. Using the default settings proceed through the dialogs that appear. Upon successful completion of the update a message will appear stating that; update 2003-08-01 has completed successfully.
  5. From within ePO create a new “AutoUpdate on Agent(s)” task.
  6. Go into the settings for this task and ensure that the host field is set to ftp.nai.com , the path is set to /pub/security/tsc20/updates/winnt/ and that the user and password fields are both set to ftp .Note that “tsc20” in the above path is used for ThreatScan 2.0 and 2.1.The correct path for ThreatScan 2.5 is “tsc25”.
  7. Launch this task against all agent machines.
  8. When the task(s) complete information will be available in the “Task Status Details” report.

To create and execute a new task with the new Hot Fix functionality do the following:

  1. Create a new ThreatScan task.
  2. Edit the settings of this task.
  3. Edit the “Task option”, “Host IP Range” to include all desired machines to scan.
  4. Select the “Remote Infection Detection” category and “Windows Virus Checks” template.
    -or-
     Select the “Other” category and “Scan All Vulnerabilities” template.
  5. Launch the scan.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A