Virus Alert about the W32/Mimail@MM Virus (826325)
The information in this article applies to:
Microsoft Outlook Express 6 for Windows
Microsoft Outlook Express 5.5 for Windows
Microsoft Internet Explorer 6.0
Microsoft Internet Explorer 5.5
Microsoft Outlook 2002
Microsoft Outlook 2000
SUMMARY
The W32/Mimail@MM is a new e-mail worm. The Microsoft Product Support Services Security Team is issuing this alert to inform customers about this new worm. This worm appears to be spreading. Best practices, such as applying security patches, should prevent infection from this worm. Review the information and then take the appropriate action for your environment.
MORE INFORMATION
The virus is received as an e-mail attachment with the following format:
From: Admin
Subject: your account %user%
Importance: High
Hello there,
I would like to inform you about important information regarding your e-mail address. This e-mail address will be expiring. Please read attachment for details.
--- Best regards, Administrator
Attachment: message.zip
The attached .zip file contains a file named Message.htm. This file automatically creates the file Foo.exe in the Temporary Internet Files folder and then runs it.
The following files are created in the Windows (%WinDir%) folder:
Videodrv.exe (19,824 bytes)
Exe.tmp (20,445 bytes)
Zip.tmp (20,567 bytes)
The following registry run key is created to load the worm at startup:
This worm uses a previously-announced vulnerability as part of its infection method. Because of this, make sure that your computer is patched for the vulnerability that is identified in Microsoft Security Bulletin MS03-014:
If your computer has been infected with this virus, contact Microsoft Product Support Services or contact your preferred antivirus vendor for help with removing the virus. For information about how to contact Microsoft Product Support Services, visit the following Microsoft Web site:
For additional details about this worm from antivirus software vendors who are participating in the Microsoft Virus Information Alliance (VIA), visit the following Web sites: