RE: WORM_MIMAIL.A Anyone have any info on what this does yet?

From: Anthony Clendenen (aclendenen_at_esri.com)
Date: 08/01/03

Next message: IDS: "RE: WORM_MIMAIL.A Anyone have any info on what this does yet?"

Previous message: Rodrigo Barbosa: "Re: Scan of TCP 552-554"
Maybe in reply to: Danny: "WORM_MIMAIL.A Anyone have any info on what this does yet?"
Next in thread: Daniel Wittenberg: "WORM_MIMAIL.A cleaner ?"
Reply: Daniel Wittenberg: "WORM_MIMAIL.A cleaner ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Schmehl, Paul L'" <pauls@utdallas.edu>, Danny <drh26@drexel.edu>, incidents@securityfocus.com
Date: Fri, 1 Aug 2003 13:05:17 -0700

From TrendMicro's site.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL.
A

This is an Internet worm that propagates via email using its own Simple Mail
Transfer Protocol (SMTP) engine.

The email message has the following details:

Subject: your account %n%
Body: Hello there, I would like to inform you about important information
regarding youremail address.
This email address will be expiring. Please read attachment for details.

Best regards,
Administrator
Attachment: "message.zip"

(Note: %n% is a variable string.)

TrendLabs is working to provide a more in depth analysis of this malware.
Please refer to the Technical details for more information about this
malware.

Solution:

AUTOMATIC REMOVAL INSTRUCTIONS

To automatically remove this malware from your system, please use the Trend
Micro System Cleaner.

MANUAL REMOVAL INSTRUCTIONS

Terminating the Malware Program

This procedure terminates the running malware process from memory.

   1. Open Windows Task Manager.
      On Windows 95/98/ME systems, press
      CTRL+ALT+DELETE
      On Windows NT/2000/XP systems, press
      CTRL+SHIFT+ESC, and click the Processes tab.
   2. In the list of running programs*, locate the process:
      VIDEODRV.EXE
   3. Select the malware process, then press either the End Task or the End
Process button, depending on the version of Windows on your system.
   4. To check if the malware process has been terminated, close Task
Manager, and then open it again.
   5. Close Task Manager.

*NOTE: On systems running Windows 95/98/ME, Windows Task Manager may not
show certain processes. You may use a third party process viewer to
terminate the malware process. Otherwise, continue with the next procedure,
noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from
executing during startup.

   1. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then
press Enter.
   2. In the left panel, double-click the following:
      HKEY_LOCAL_MACHINE>Software>Microsoft>
      Windows>CurrentVersion>Run
   3. In the right panel, locate and delete the entry:
      "VideoDriver"="%Windows%\videodrv.exe"
      (Note: %Windows% refers to the Windows folder, usually C:\Windows or
C:\WINNT.)
   4. Close Registry Editor.

NOTE: If you were not able to terminate the malware process from memory, as
described in the previous procedure, restart your system.

Additional Windows ME/XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as
WORM_MIMAIL.A. To do this, Trend Micro customers must download the latest
pattern file and scan their system. Other Internet users can use HouseCall,
Trend Micro's free online virus scanner.

Trend Micro offers best-of-breed antivirus and content-security solutions
for your or .

-Anthony

-----Original Message-----
From: Schmehl, Paul L [mailto:pauls@utdallas.edu]
Sent: Friday, August 01, 2003 11:17 AM
To: Danny; incidents@securityfocus.com
Subject: RE: WORM_MIMAIL.A Anyone have any info on what this does yet?

<http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.a@mm
.html>

We're blocking message.zip at the gateway.

Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/

> -----Original Message-----
> From: Danny [mailto:drh26@drexel.edu]
> Sent: Friday, August 01, 2003 12:56 PM
> To: incidents@securityfocus.com
> Subject: WORM_MIMAIL.A Anyone have any info on what this does yet?
>
>
> We are getting flooded with these little puppies, does anyone
> have any
> additional info on what this thing does once it infects a
> host? I'll be infecting a box to test myself after i send
> this email but if
> anyone has done testing already it would great to hear your input.

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: IDS: "RE: WORM_MIMAIL.A Anyone have any info on what this does yet?"

Previous message: Rodrigo Barbosa: "Re: Scan of TCP 552-554"
Maybe in reply to: Danny: "WORM_MIMAIL.A Anyone have any info on what this does yet?"
Next in thread: Daniel Wittenberg: "WORM_MIMAIL.A cleaner ?"
Reply: Daniel Wittenberg: "WORM_MIMAIL.A cleaner ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]