Notices
NSC-030802: Another Microsoft Worm Spreading Around Campus - "Mimail"
The IT Security Office has received several questions about a message that
is being received by users around campus. The message appears to be from
"your system administrator" and contains a zip file. This zip file by
itself is not dangerous but it contains an HTML (web) file that when opened
will cause the computer to forward a copy of this worm to any e-mail
address it can find on the computer. We are urging users to delete this
message should they receive it.
The campus licensed version of Norton Antivirus will detect this worm ONLY
if you have the run live update and your virus definitions are listed as
"8/1/2003 Rev 21". We are requesting all users run Norton Live Update to
ensure their virus definitions are up to date.
Here is the information from Symantec:
http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.a@mm.html
The following information was received from Microsoft.
----------------------------------
PSS Security Response Team Alert - New Worm: W32/Mimail@MM
SEVERITY: MODERATE
DATE: August 1, 2003
PRODUCTS AFFECTED: Internet Explorer, Microsoft Outlook, Microsoft Outlook
Express, and Web-based e-mail programs
WHAT IS IT?
The Microsoft Product Support Services Security Team is issuing this alert
to inform customers about a new worm named W32/Mimail@MM, which appears to
be spreading in the wild. Best practices, such as applying security patches
should prevent infection from this worm. Customers are advised to review
the information and take the appropriate action for their environments.
IMPACT OF ATTACK: Mass-Mailing
TECHNICAL DETAILS:
The virus is received as an e-mail attachment With the following format.
From: Admin
Subject: your account %user%
Importance: High
Hello there,
I would like to inform you about important information regarding your email
address. This email address will be expiring. Please read attachment for
details.
--- Best regards, Administrator
Attachment: message.zip
The attached .ZIP file contains a file named MESSAGE.HTM. This file
automatically creates the file foo.exe in the Temporary Internet Files
folder and runs it. The following files are created in the WINDOWS
(%WinDir%) directory:
videodrv.exe (19,824 bytes)
exe.tmp (20,445 bytes)
zip.tmp (20,567 bytes)
The following registry run key is created to load the worm at startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "VideoDriver" = C:\WINNT\videodrv.exe
For additional details on this worm from anti-virus software vendors
participating in the Microsoft Virus Information Alliance (VIA) please
visit the following links:
Network Associates:
<http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100523>http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100523
Trend Micro:
<http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL.A>http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL.A
Symantec:
<http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.a@mm.html>http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.a@mm.html
Computer Associates:
<http://www3.ca.com/virusinfo/virus.aspx?ID=36092>http://www3.ca.com/virusinfo/virus.aspx?ID=36092
Sybari:
<http://www.sybari.com/alerts/alertdetail.asp?Name=W32/Mimail.a@mm>http://www.sybari.com/alerts/alertdetail.asp?Name=W32/Mimail.a@mm
For more information on Microsofts Virus Information Alliance please visit
this link:
<http://www.microsoft.com/technet/security/virus/via.asp>http://www.microsoft.com/technet/security/virus/via.asp
Please contact your Antivirus Vendor for additional details on this virus.
PREVENTION:
This worm utilizes a previously-announced vulnerability as part of its
infection method. Because of this, customers must ensure that their
computers are patched for the vulnerability that is identified in Microsoft
Security Bulletin MS03-014:
<http://www.microsoft.com/security/security_bulletins/ms03-014.asp>http://www.microsoft.com/security/security_bulletins/ms03-014.asp
RECOVERY:
If your computer has been infected with this virus, please contact
Microsoft Product Support Services or your preferred antivirus vendor for
assistance with removing it.
RELATED KB ARTICLES:
<http://support.microsoft.com/?kbid=826325/>http://support.microsoft.com?kbid=826325
This article will be available within 24 hours.
RELATED SECURITY BULLETINS:
<http://www.microsoft.com/security/security_bulletins/ms03-014.asp>http://www.microsoft.com/security/security_bulletins/ms03-014.asp
RELATED LINKS:
<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/virus/alerts/mimail.asp>http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/virus/alerts/mimail.asp
As always please make sure to use the latest Anti-Virus detection from your
Anti-Virus vendor to detect new viruses and their variants.
If you have any questions regarding this alert please contact your
Technical Account Manager or Application Development Consultant.
PSS Security Response Team