|
Products & Services Virus Information Store Support Downloads Log In Cart My Account
Product Recommender
Virus Removal Tools
Virus Calendar
Virus Hoaxes
Virus Glossary
Regional Virus Info
Dispatch: Virus Newsletters
Security News Network
Anti-Virus Tips
Online Guide for Parents Related Links
VirusScan Online
VirusScan 7.0 Virus Profile Virus Information Name: W32/Mimail@MM Risk Assessment - Home Users: Medium - Corporate Users: Medium Date Discovered: 8/1/2003 Date Added: 8/1/2003 Origin: Unknown Length: 16,815 bytes Type: Virus SubType: E-mail worm DAT Required: 4282 Quick Links Virus Characteristics Indications of Infection Method of Infection Removal Instructions Aliases Buy or Update New Users Get Protected Now: Buy VirusScan Online Update VirusScan Online Virus Characteristics The 4192 DAT files (or higher) and 4.1.60+ scan engine will detect this threat in some environments. The detected name is Exploit-Codebase. This malware bears similarities to Downloader-DK in message construction, which was spammed several days ago. This threat may have also been spammed. It is received as an email attachment as follows.
From: Admin (ADMIN@your_doamin) Subject: your account %user% Importance: High Hello there,
I would like to inform you about important information regarding your email address. This email address will be expiring. Please read attachment for details.
--- Best regards, Administrator
Attachment: message.zip
The attached .ZIP file contains a file named MESSAGE.HTM. This file uses the codebase exploit to automatically create the file foo.exe in the Temporary Internet Files folder and run it. The following files are created in the WINDOWS (%WinDir%) directory:
videodrv.exe (19,824 bytes) exe.tmp (20,445 bytes) zip.tmp (20,567 bytes) The following registry run key is created to load the worm at startup: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "VideoDriver" = C:\WINNT\videodrv.exe First, the virus checks to see if the system is connected to the Internet by trying to contact google.com. If this check succeeds, the virus attempts to harvest email addresses from the local system. The file extension of each file on the system is checked. If it does not match one of the following extensions, that file is parsed for email addresses: avi bmp cab com dll exe gif jpg mp3 mpg ocx pdf psd rar tif vxd wav zip Found addresses are stored in a file named eml.tmp in the WINDOWS directory. An additional registry key is created:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Code Store Database\Distribution Units\ {11111111-1111-1111-1111-111111111111} Indications of Infection Presence of the following files in the WINDOWS directory: videodrv.exe eml.tmp exe.tmp zip.tmp Method of Infection This mass-mailing worm was likely spammed to thousands of email addresses. When run, the worm harvest addresses found on the local system and sends itself to those addresses. The mailing routing attempts to query the mail server for the domain related to the harvested address. Messages are sent through that SMTP server. The code also makes reference to the IP address 212.5.86.163 and may mail through list.ru.
Removal Instructions All Users: Use the 4282 DAT files for detection and removal.
Alternatively, the following EXTRA.DAT packages are available. EXTRA.DAT SUPER EXTRA.DAT
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Manual Removal Instructions To remove this virus "by hand", follow these steps:
- Win9x/ME - Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode. - WinNT/2K/XP - Terminate the process videodrv.exe Delete the following files from your WINDOWS directory (typically c:\windows or c:\winnt) videodrv.exe eml.tmp exe.tmp zip.tmp Edit the registry Delete the "VideoDriver" value from "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" Delete the key "{11111111-1111-1111-1111-111111111111}" from "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units" Reboot the system Additional Windows ME/XP removal considerations Aliases Mimail (F-Secure), W32.Mimail.A@mm (Symantec), WORM_MIMAIL.A (Trend) About McAfee Security Advertise With Us Affiliate Program Contact Us Investors Partners Press Privacy Store Locator Quick-Buy Links: Deals of the Week >VirusScan Online VirusScan 7.0 Personal Firewall Plus SpamKiller Sign up for Free Virus News: Global Sites: NORTH AMERICA -- Canada (English) -- Canada (français) -- United States AFRICA -- South Africa AMÉRICA LATINA --Brazil --México ASIA PACIFIC -- Australia -- Japan EUROPE -- Deutschland -- España -- France -- Italia -- Nederland -- Scandinavia -- United Kingdom McAfee is a business unit of Network Associates, Inc. © 2003, Networks Associates Technology, Inc. All Rights Reserved.
Have comments about this page? Tell us what you think.
|