CERT-In Incident Note CIIN-2003-01
W32/Mimail Virus
Original Issue Date: August 04, 2003
Maximum Severity: Medium
Type: Worm
Systems Affected: Microsoft Windows systems running Outlook Express/2000
Overview
This is a mass-mailing virus spreading through e-mail.
Description
The W32/Mimail virus spreads as an e-mail message with a malicious file attachment containing a specially crafted MHTML file named 'message.html'. This file is delivered inside of a .ZIP archive file named 'message.zip'. When the e-mail is opened on a vulnerable system, malicious code inside the 'message.html' file is installed and executed. The malicious code is a mass-mailer.
The email message may look like the following:
--------------------------------------------------------------------------
From: admin@<your domain>
Subject: <your account> [random text]
Hello there,
I would like to inform you about important information regarding your
email address. This email address will be expiring.
Please read attachment for details
Best regards, Administrator
---------------------------------------------------------------------------
The attached .ZIP file contains a file named MESSAGE.HTM. This file uses the codebase exploit (as described in Microsoft Security Bulletin MS02-015) and MHTML exploit (as noted in Microsoft Security Bulletin MS03-014) to automatically create the file foo.exe in the Temporary Internet Files folder and run it.
According to Microsoft security bulletin MS03-014:
MHTML is a standard for exchanging HTML content in e-mail, and, as a result, the MHTML URL Handler function has been implemented in Outlook Express. Internet Explorer can also render MHTML content. However, the MHTML function has not been implemented separately in Internet Explorer - it uses Outlook Express to render the MHTML content.
Thus, the MHTML format file 'message.html' file is exploiting a vulnerability in Outlook Express, but it poses a threat to any application that uses Internet Explorer to render its contents.
The following files are created in the WINDOWS (%WinDir%) directory:
videodrv.exe
exe.tmp
zip.tmp
The following registry run key is created to load the worm at startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "VideoDriver" = C:\WINNT\videodrv.exe
Afterwards the virus checks Internet connectivity, if successful, gathers e-mail addresses from the local system and stores in a file named eml.tmp in the WINDOWS directory.
An additional registry key is created:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Code Store Database\Distribution Units\
{11111111-1111-1111-1111-111111111111}
Anti-Virus vendors have developed signatures for W32/Mimail, links are provided in references.
Symptoms
Presence of the following files in the WINDOWS directory:
. videodrv.exe
. eml.tmp
. exe.tmp
. zip.tmp
Removal Instructions
To remove this virus follow the steps:
1. Win9x/ME - Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
WinNT/2K/XP - Terminate the process videodrv.exe
2. Delete the following files from WINDOWS directory (typically c:\windows or c:\winnt)
videodrv.exe
eml.tmp
exe.tmp
zip.tmp
3. Edit the registry
Delete the "VideoDriver" value from
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run"
"HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run"
Delete the key "{11111111-1111-1111-1111-111111111111}" from
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units"
4. Reboot the system
Solution
Apply the patch
Refer Microsoft Security Bulletin MS03-014 and apply the Cumulative Patch for Outlook Express (330994)
Run and maintain an anti-virus software on the system
Users should install and run anti-virus software. The virus signature database files (generally named as DAT files) should be updated regularly.
Do not run programs or open files of unknown origin
Email users should be wary of unexpected attachments or unusual links contained in email. Never download, install, run or open a program or file unless you know it to be authored by a person or company that you trust.
Filter email
Users can avail email-filtering techniques to delete messages known to contain this malicious code, or they can filter all attachments.
References
CERT/CC Incident Note IN-2003-02
http://www.cert.org/incident_notes/IN-2003-02.html
CERT/CC Vulnerability Note VU#208052
http://www.kb.cert.org/vuls/id/208052
Microsoft Security Bulletin MS-03-014
http://www.microsoft.com/technet/treeview /default.asp? url=/technet/security/ bulletin/MS03-014.asp
Anti-Virus Vendors Sites
http://www.sarc.com/avcenter/venc/data/w32.mimail.a@mm.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp? VName=WORM_MIMAIL.A
http://us.mcafee.com/virusInfo/default.asp?id=description& virus_k=100523 Disclaimer
The information provided here-in is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
