Virus Alert about the W32/Mimail@MM Virus (826325)


The information in this article applies to:

  • Microsoft Outlook Express 6 for Windows
  • Microsoft Outlook Express 5.5 for Windows
  • Microsoft Internet Explorer 6.0
  • Microsoft Internet Explorer 5.5
  • Microsoft Outlook 2002
  • Microsoft Outlook 2000

SUMMARY

The W32/Mimail@MM is a new e-mail worm. The Microsoft Product Support Services Security Team is issuing this alert to inform customers about this new worm. This worm appears to be spreading. Best practices, such as applying security patches, should prevent infection from this worm. Review the information and then take the appropriate action for your environment.

MORE INFORMATION

The virus is received as an e-mail attachment with the following format:

From: Admin

Subject: your account %user%

Importance: High

Hello there, I would like to inform you about important information regarding your e-mail address. This e-mail address will be expiring. Please read attachment for details.

--- Best regards, Administrator

Attachment: message.zip

The attached .zip file contains a file named Message.htm. This file automatically creates the file Foo.exe in the Temporary Internet Files folder and then runs it.

The following files are created in the Windows (%WinDir%) folder:
  • Videodrv.exe (19,824 bytes)
  • Exe.tmp (20,445 bytes)
  • Zip.tmp (20,567 bytes)
The following registry run key is created to load the worm at startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

This key has the following value:

"VideoDriver" = C:\WINNT\videodrv.exe

Prevention

This worm uses a previously-announced vulnerability as part of its infection method. Because of this, make sure that your computer is patched for the vulnerability that is identified in Microsoft Security Bulletin MS03-014:

http://www.microsoft.com/technet/security/bulletin/ms03-014.asp

Recovery

If your computer has been infected with this virus, contact Microsoft Product Support Services or contact your preferred antivirus vendor for help with removing the virus. For information about how to contact Microsoft Product Support Services, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

Related Microsoft Security Bulletins

http://www.microsoft.com/technet/security/bulletin/ms03-014.asp

As always, make sure to use the latest antivirus detection from your antivirus vendor to detect new viruses and their variants.

For more information about this alert, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/alerts/mimail.mspx

REFERENCES

For additional details about this worm from antivirus software vendors who are participating in the Microsoft Virus Information Alliance (VIA), visit the following Web sites:

Network Associates:

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100523

Trend Micro:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL.A

Symantec:

http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.a@mm.html

Computer Associates:

http://www3.ca.com/virusinfo/virus.aspx?ID=36092

Sybari:

http://www.sybari.com/DesktopDefault.aspx?Alias=Rainbow&TabId=3360&Lang=en-US

For more information about the Microsoft Virus Information Alliance, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/topics/virus/via.mspx

Contact your antivirus vendor for additional details about this virus.
Modification Type:MinorLast Reviewed:8/17/2006
Keywords:kbvirus kbSECAntiVirus kbinfo KB826325 kbAudITPRO kbAudEndUser
©2004 Microsoft Corporation. All rights reserved.