Posted on 08/01/2003 12:19:53 PM PDT by dfrussell
New Internet Worm: worm_mimail.a
(Excerpt) Read more at microsoft.com ...
This worm attempts to exploit a vulnerability in Internet Explorer which allows a script to execute in the Local computer. See the following for more information: http://www.microsoft.com/technet/treeview/default.asp?url= /technet/security/bulletin/MS02-015.asp
=========================================================================== III. Technical Details
Arrival and Installation
This mass-mailing worm arrives as an email attachment, which is an HTML file containing a UPX-compressed Win32 EXE file. When the HTML file is opened, the malware code is executed and it exploits the Internet Explorer security system vulnerability. It then launches the .EXE file carrying the worm program.
Upon execution, this worm drops a copy of itself as VIDEODRV.EXE in the Windows directory.
This worm creates the following registry entries so that its copy, VIDEODRV.EXE, is executed at every Windows startup:
HKEY_Local_Machine\Software\Microsoft\Windows\ CurrentVersion\Run "VideoDriver"="%Windows%\videodrv.exe"
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
Email Propagation
This malware propagates via email, which has the following details:
The email message has the following details:
Subject: your account %n%
Body: Hello there, I would like to inform you about important information regarding youremail address.
This email address will be expiring. Please read attachment for details.
Best regards, Administrator Attachment: "message.zip"
(Note: %n% is a variable string.)
It uses the following Simple Mail Transfer Protocol (SMTP) servers:
acm.org alias2.acm.org mirc.com mx2.daemonmail.net iglou.com mail.iglou.com ft.com winamp.com mail.winamp.com smtp.ceruleanstudios.com ceruleanstudios.com
It also tries the following list of usernames to connect to the above SMTP servers:
admin@acm.org jseward@acm.org Jseward admin@mirc.com servers@mirc.com Servers admin@iglou.com idm@iglou.com admin@winamp.com aus@winamp.com Aus admin@mirc.com tjerk@mirc.com admin@ceruleanstudios.com info@ceruleanstudios.com Info tjerk@mirc.com
Other Details
This malware uses a known vulnerability in Internet Explorer security system.
===========================================================================
IV. Removal Instructions
MANUAL REMOVAL INSTRUCTIONS
NOTE: For Windows ME and Windows XP you will have to turn off System Restore before you start this process.
Terminating the Malware Program
This procedure terminates the running malware process from memory.
1. Open Windows Task Manager.
2. On Windows 95/98/ME systems, press CTRL+ALT+DELETE
3. On Windows NT/2000/XP systems, press CTRL+SHIFT+ESC, and click the Processes tab.
4. In the list of running programs*, locate the process: VIDEODRV.EXE
5. Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
To check if the malware process has been terminated, close Task Manager, and then open it again.
6. Close Task Manager.
*NOTE: On systems running Windows 95/98/ME, Windows Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing during startup.
Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft> Windows>CurrentVersion>Run
In the right panel, locate and delete the entry: "VideoDriver"="%Windows%\videodrv.exe"
(Note: %Windows% refers to the Windows folder, usually C:\Windows or C:\WINNT.) Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory, as described in the previous procedure, restart your system.
===========================================================================
V. IBM Comments
Turn off all un-needed services and get updated virus definitions from you antivirus software vendor's website and install them as soon as they're available.
=========================================================================== ACKNOWLEDGEMENTS
Symantec Trend Micro, Inc.
I got an e mail earlier that gave me instructions for protecting my P.C. against any viruses. It had something to do with renaming my C drive. Gotta say, the P.C.'s been a little cranky since I did that, but it's nice to know I'm safe.
Owl_EagleUnleash the Hogs of Peace.
P.J. O'Rourke Parliament of Whores
The weird thing is I don't even understand it.
I just take what the techies give me and turn it into English.
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, OS/2, UNIX, Linux
Surprise, surprise.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.