F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Mimail.A

[Summary] | [Detailed Description] | [Detection]

THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDER
F-SECURE RADAR.
Radar Alert LEVEL 2

NAME:Mimail.A
ALIAS:WORM_MIMAIL. W32.MIMAIL.A, TrojanDropper.JS.Mimail

Summary

Mimail is a mass-mailer which spreads in e-mails faked to look like an administrative e-mail from the local sysadmin.

Detailed Description

The messages that Mimail sends look like this: 

  From: admin@local-domain-name
  Subject:   your account                 <random characters>


  Hello there,


  I would like to inform you about important information regarding your
  email address.  This email address will be expiring.
  Please read attachment for details
  ---
  Best regards,   Administrator


  <random characters>


  Attachment:  message.zip

The attachment contains message.html which, when opened in vulnerable versions of Internet Explorer, will drop an executable named foo.exe and run it. For more information on the IE MHTML vulnerability used here please see

http://www.microsoft.com/technet/security/bulletin/MS03-014.asp

While foo.exe is being dropped and run, user will see a large text in his browser. This text will say "Please wait loading message ....." in red colour on black background.

When foo.exe is run, it will mail itself to several addresses found from the local hard drive. For sending the messages Mimail has its own SMTP engine. The SMTP engine reads the DNS server settings of the infected computer and uses a hardcoded default server if it does not have one. When the emails are sent the worm performs a Mail Exchange lookup on the DNS server for the email's target domain. If the MX can be located Mimail connects to it and delivers the mail using SMTP.

While installing itself, the worm copies itself to Windows directory with the "videodrv.exe" name and registers that file in system registry auto-run key: 

 HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  VideoDriver = %WinDir%\videodrv.exe

The worm also creates following files in Windows directory: 

 exe.tmp  - worm in HTML file
 zip.tmp  - worm's HTML file in ZIP archive (method "stored" - no compression).
 eml.tmp  - list of emails found on infected machine

To create the ZIP archive the worm uses its own ZIP file format supporting routine.

To send infected messages the worm uses it's own built-in SMTP engine. It collects e-mail addresses from local files.

Back to the Top


Detection

F-Secure Anti-Virus detects this worm with database updates starting from:

[FSAV_Database_Version]

Version=2003-08-01_03


Back to the Top


Technical Details: Mikko Hypponen and Gergely Erdelyi of F-Secure Corp
Eugene Kaspersky of Kaspersky Labs, August 1st, 2003

F-Secure Corporation