Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Mimail.A@mm

Overview

Threat Risk MEDIUM MEDIUM
Destructivity NONE NONE
Payload
Detection files published 31 Jul 2003 03:00:00
Description created 01 Aug 2003 01:40:00
Description updated 03 Aug 2003 11:27:00
Malware type WORM
Alias
Spreading mechanism EMAIL
Summary None

W32/Mimail.A@mm

Spreading

The worm arrives as a an email message that seems to come from "admin@[local domain]" .The mail contains an attachment, which is a zip file containing another file called "message.html". This HTML file contains an executable program that can auto-execute upon opening of the HTML file.When the worm executes, it first copies itself to the Windows directory under the name VIDEODRV.EXE, and creates a registry key to automatically start this file from bootup:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run VideoDriver = [WINDIR]\VIDEODRV.EXEIn addition, three more files are created on the Windows directory:ZIP.TMP - used when making the zip fileEXE.TMP - a copy of the executable programEML.TMP - used when making the HTML fileThe worm searches local files for email addresses to send itself to, but will attempt to avoid files with the following extensions:*.com*.wav*.cab*.pdf*.rar*.zip*.tif*.psd*.ocx*.vxd*.mp3*.avi*.dll*.exe*.gif*.jpg*.bmpOn some Windows versions, the worm will not be visible in the task list.

Payload Details

n/a

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:11