New Email Worm

CERT / IBM / Trend Micro / MS ^

[dfrussell]

New Internet Worm: worm_mimail.a

[dfrussell]

=========================================================================== II. Description

This worm attempts to exploit a vulnerability in Internet Explorer which allows a script to execute in the Local computer. See the following for more information: http://www.microsoft.com/technet/treeview/default.asp?url= /technet/security/bulletin/MS02-015.asp

=========================================================================== III. Technical Details

Arrival and Installation

This mass-mailing worm arrives as an email attachment, which is an HTML file containing a UPX-compressed Win32 EXE file. When the HTML file is opened, the malware code is executed and it exploits the Internet Explorer security system vulnerability. It then launches the .EXE file carrying the worm program.

Upon execution, this worm drops a copy of itself as VIDEODRV.EXE in the Windows directory.

This worm creates the following registry entries so that its copy, VIDEODRV.EXE, is executed at every Windows startup:

HKEY_Local_Machine\Software\Microsoft\Windows\ CurrentVersion\Run "VideoDriver"="%Windows%\videodrv.exe"

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

Email Propagation

This malware propagates via email, which has the following details:

The email message has the following details:

Subject: your account %n%

Body: Hello there, I would like to inform you about important information regarding youremail address.

This email address will be expiring. Please read attachment for details.

Best regards, Administrator Attachment: "message.zip"

(Note: %n% is a variable string.)

It uses the following Simple Mail Transfer Protocol (SMTP) servers:

acm.org alias2.acm.org mirc.com mx2.daemonmail.net iglou.com mail.iglou.com ft.com winamp.com mail.winamp.com smtp.ceruleanstudios.com ceruleanstudios.com

It also tries the following list of usernames to connect to the above SMTP servers:

admin@acm.org jseward@acm.org Jseward admin@mirc.com servers@mirc.com Servers admin@iglou.com idm@iglou.com admin@winamp.com aus@winamp.com Aus admin@mirc.com tjerk@mirc.com admin@ceruleanstudios.com info@ceruleanstudios.com Info tjerk@mirc.com

Other Details

This malware uses a known vulnerability in Internet Explorer security system.

===========================================================================

IV. Removal Instructions

MANUAL REMOVAL INSTRUCTIONS

NOTE: For Windows ME and Windows XP you will have to turn off System Restore before you start this process.

Terminating the Malware Program

This procedure terminates the running malware process from memory.

1. Open Windows Task Manager.

2. On Windows 95/98/ME systems, press CTRL+ALT+DELETE

3. On Windows NT/2000/XP systems, press CTRL+SHIFT+ESC, and click the Processes tab.

4. In the list of running programs*, locate the process: VIDEODRV.EXE

5. Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.

To check if the malware process has been terminated, close Task Manager, and then open it again.

6. Close Task Manager.

*NOTE: On systems running Windows 95/98/ME, Windows Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.

In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft> Windows>CurrentVersion>Run

In the right panel, locate and delete the entry: "VideoDriver"="%Windows%\videodrv.exe"

(Note: %Windows% refers to the Windows folder, usually C:\Windows or C:\WINNT.) Close Registry Editor.

NOTE: If you were not able to terminate the malware process from memory, as described in the previous procedure, restart your system.

===========================================================================

V. IBM Comments

Turn off all un-needed services and get updated virus definitions from you antivirus software vendor's website and install them as soon as they're available.

=========================================================================== ACKNOWLEDGEMENTS

Symantec Trend Micro, Inc.

[Sir Gawain]

Anyone that opens an email attachment with that kind of text deserves what they get.

[boxerblues]

We just got a warning at work over this one, must be a nasty one

[lilylangtree]

Thanks for the heads up on this little nasty.

[COBOL2Java]

Ditto our office. A few nincompoops opened it up.

[Arpege92]

I am totally clueless about computers and things like this scare me, but I was told to never open any new email unless I am sure where it is coming from. :-}

[Ayn Rand wannabe]

My college email server just had someone report that today! Somehow they sent it from the admin's own account to another group on campus. That's really freaky...

[boxerblues]

We dont normally get warnings ahead of time. They usually wait until it has almost shut down the network before notification goes out. Guess nobody in IS wants the OT this weekend lol

[Lunatic Fringe]

The patch Q319182, which is over a year old, protects against this virus.

[boxerblues]

#1 rule if you dont know who sent it, the delete is your best friend. If you see a lot of messages from your "friends" with the same subject all of a sudden chances are it is a virus. Better safe than sorry

[lainie]

That link says the dates of this are March 2002 and May 2003.

[boxerblues]

must be making the rounds again.

[ctlpdad]

I'll take a dozen, going fishing in about 1 1/2 hours.

[Michael Barnes]

Final Windows Service Pack

[End Times Sentinel]

I got an e mail earlier that gave me instructions for protecting my P.C. against any viruses.  It had something to do with renaming my C drive.  Gotta say, the P.C.'s been a little cranky since I did that, but it's nice to know I'm safe.

Owl_Eagle

”Unleash the Hogs of Peace.”
P.J. O'Rourke Parliament of Whores

[boxerblues]

oh good dinner

[woofer]

Just got the email from our corp ES people, too. A couple of nincompoops bit it big time.

[willieroe]

Here is a correct link for information about this worm, named W32.MiMail.A

[dead]

I just had to write the warning about this worm for my company. My e-mail will go to about 140,000 employees globally.

The weird thing is I don't even understand it.

I just take what the techies give me and turn it into English.

[lainie]

W32.Mimail.A@mm security response

Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me

Systems Not Affected: Macintosh, OS/2, UNIX, Linux

Surprise, surprise.