RE: WORM_MIMAIL.A Anyone have any info on what this does yet?

From: Butterworth, James J. EWC (C3F J39) (james.butterworthat_private)
Date: Fri Aug 01 2003 - 16:42:30 PDT

Next message: Peter Fry: "Re: RPC DCOM exploit"

Previous message: Peter Fry: "Re: RPC DCOM exploit"
Maybe in reply to: Danny: "WORM_MIMAIL.A Anyone have any info on what this does yet?"
Next in thread: Neatherly, William: "RE: WORM_MIMAIL.A Anyone have any info on what this does yet?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There is a list of SMTP servers that, once infected, the virus will scan the infected system looking for valid emails, store it in "eml.tmp" C:\windows dir, and once it senses an internet connection will forward itself to everyone in the eml.tmp file via those external SMTP servers.  The virus writes the following key to make sure it runs at start up:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunVideoDriver=C:=Windows directory\videodrv.exe

Check for:
C:\Windows\videodrv.exe (payload)
C:\Windows\eml.tmp (list of emails the payload found to send itself to)
c:\Windows\foo.exe (installation file)

r/Jim Butterworth


> -----Original Message-----
> From:	Jay Woody [SMTP:jay_woodyat_private]
> Sent:	Friday, August 01, 2003 11:54 AM
> To:	incidentsat_private
> Subject:	RE: WORM_MIMAIL.A Anyone have any info on what this does yet?
> 
> We are just dropping everything from adminat_private  This message seems
> to always use admin as the "From:" field and just append our company
> name to it.  We will probably also use another piece of equipment to do
> a subject line drop also.
> 
> http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100523
> 
> JayW
> 
> >>> "Schmehl, Paul L" <paulsat_private> 08/01/03 01:16PM >>>
> <http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.a@mm
> 
> .html>
> 
> We're blocking message.zip at the gateway.
> 
> Paul Schmehl (paulsat_private)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/~pauls/ 
> 
> > -----Original Message-----
> > From: Danny [mailto:drh26at_private] 
> > Sent: Friday, August 01, 2003 12:56 PM
> > To: incidentsat_private 
> > Subject: WORM_MIMAIL.A Anyone have any info on what this does yet?
> > 
> > 
> > We are getting flooded with these little puppies, does anyone 
> > have any  
> > additional info on what this thing does once it infects a 
> > host? I'll be infecting a box to test myself after i send 
> > this email but if  
> > anyone has done testing already it would great to hear your input.
> 
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------
> 
> 
> 
> 
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------
> 

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Peter Fry: "Re: RPC DCOM exploit"
Previous message: Peter Fry: "Re: RPC DCOM exploit"
Maybe in reply to: Danny: "WORM_MIMAIL.A Anyone have any info on what this does yet?"
Next in thread: Neatherly, William: "RE: WORM_MIMAIL.A Anyone have any info on what this does yet?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Aug 03 2003 - 08:43:29 PDT