From TrendMicro's site. http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL. A This is an Internet worm that propagates via email using its own Simple Mail Transfer Protocol (SMTP) engine. The email message has the following details: Subject: your account %n% Body: Hello there, I would like to inform you about important information regarding youremail address. This email address will be expiring. Please read attachment for details. Best regards, Administrator Attachment: "message.zip" (Note: %n% is a variable string.) TrendLabs is working to provide a more in depth analysis of this malware. Please refer to the Technical details for more information about this malware. Solution: AUTOMATIC REMOVAL INSTRUCTIONS To automatically remove this malware from your system, please use the Trend Micro System Cleaner. MANUAL REMOVAL INSTRUCTIONS Terminating the Malware Program This procedure terminates the running malware process from memory. 1. Open Windows Task Manager. On Windows 95/98/ME systems, press CTRL+ALT+DELETE On Windows NT/2000/XP systems, press CTRL+SHIFT+ESC, and click the Processes tab. 2. In the list of running programs*, locate the process: VIDEODRV.EXE 3. Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system. 4. To check if the malware process has been terminated, close Task Manager, and then open it again. 5. Close Task Manager. *NOTE: On systems running Windows 95/98/ME, Windows Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions. Removing Autostart Entries from the Registry Removing autostart entries from the registry prevents the malware from executing during startup. 1. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter. 2. In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft> Windows>CurrentVersion>Run 3. In the right panel, locate and delete the entry: "VideoDriver"="%Windows%\videodrv.exe" (Note: %Windows% refers to the Windows folder, usually C:\Windows or C:\WINNT.) 4. Close Registry Editor. NOTE: If you were not able to terminate the malware process from memory, as described in the previous procedure, restart your system. Additional Windows ME/XP Cleaning Instructions Running Trend Micro Antivirus Scan your system with Trend Micro antivirus and delete all files detected as WORM_MIMAIL.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner. Trend Micro offers best-of-breed antivirus and content-security solutions for your or . -Anthony -----Original Message----- From: Schmehl, Paul L [mailto:paulsat_private] Sent: Friday, August 01, 2003 11:17 AM To: Danny; incidentsat_private Subject: RE: WORM_MIMAIL.A Anyone have any info on what this does yet? <http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.a@mm .html> We're blocking message.zip at the gateway. Paul Schmehl (paulsat_private) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ > -----Original Message----- > From: Danny [mailto:drh26at_private] > Sent: Friday, August 01, 2003 12:56 PM > To: incidentsat_private > Subject: WORM_MIMAIL.A Anyone have any info on what this does yet? > > > We are getting flooded with these little puppies, does anyone > have any > additional info on what this thing does once it infects a > host? I'll be infecting a box to test myself after i send > this email but if > anyone has done testing already it would great to hear your input. --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sun Aug 03 2003 - 08:55:51 PDT