F-Secure Virus Descriptions : Mimail.D
[Summary] | [Detailed Description]
|
|
THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDER
F-SECURE RADAR.
Radar Alert LEVEL 2
|
Mimail.D worm was found on 1st of November, 2003. It is a close
variant of Mimail.A worm. The description of Mimail.A worm
variant can be found here:
http://www.europe.f-secure.com/v-descs/mimail.shtml
The worm file is a PE executable 24608 bytes long. It is not
compressed.
The worm's file installs itself as VIDEODRV.EXE file into Windows
directory and creates a startup key for its file in the Registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"VideoDriver" = "%windir%\videodrv.exe"
where %windir% is a Windows directory name.
The worm spreads itself in the following message:
Subject:
your account <some random characters>
Body:
Hello there,
I would like to inform you about important information regarding your
email address. This email address will be expiring.
Please read attachment for details.
Best regards, Administrator
<some random characters>
Attachment:
message.zip
The attachment contains message.html which, when opened in
vulnerable versions of Internet Explorer, will drop an executable
named epo.exe and run it. For more information on the IE MHTML
vulnerability used here please see
http://www.microsoft.com/technet/security/bulletin/MS03-014.asp
This worm variant doesn't have a payload.
Detection
Detection in F-Secure Anti-Virus was published on November 1st,
2003 in the following updates:
[FSAV_Database_Version]
Version=2003-11-01_02
Technical Details:
Alexey Podrezov, November 3rd, 2003;
F-Secure Corporation
|
