Re: clever virus attack (more MiMail virus info)

[Lasse Karlsson]

From: Frits Wüthrich [EMAIL PROTECTED]
 On Thu, 2004-03-04 at 06:20, Lawrence Kwan wrote:
   When I opened the zip file using the password, McAfee was able to find
   it and identify it as W32/[EMAIL PROTECTED]
  
  Wow, I am quite shocked that some of you would continue to open attached
  file from unknown source.  DON'T RELY ON YOUR ANTI-VIRAL PROGRAM!
  Unless you fully expected to receive such a file, JUST DELETE IT if you
  don't know what it is all about.
 I didn't open the .exe file, I opened the ZIP file, that is quite
 something different. I wouldn't dream of opening the exe file, or pif or
 scr or whatever, I don't rely on my anti virus software to stop it, I
 just wanted to find out what the virus was.
 I don't receive nor read in a Windows environment to begin with.
 So: no need to be shocked in my case.

At 
http://www.pchell.com/virus/mimail.shtml
(where there are more removal instruction links)

I found the following information, which would indicate that simply unzipping the file 
could trigger the exe-file to automatically run and infect you:
  
What is the MiMail.A Worm?
MiMail.A is a mass mailing worm that arrives as a zipped attachment in an email. The 
zip file has an html file attached. The html file message.htm takes advantage of two 
known security vulnerabilities,   MHTML exploit and the codebase exploit. The virus 
arrives as an email similar to:




From: admin@current domain (The from address may be spoofed to appear that it is 
coming from the current domain)

Subject: your account [random string]

Message:
Hello there,
I would like to inform you about important information regarding your email address. 
This email address will be expiring. Please read attachment for details.

Best regards,
Administrator

Attachment: Message.zip




How Does MiMail.A Worm Infect My System?

Once unzipped, the worm creates an exe file named foo.exe in the Temporary Internet 
Files directory and runs it. 

The following files are then created in the Windows directory

videodrv.exe 
exe.tmp  (temporary copy of message.html_ 
zip.tmp (temporary copy of message.zip) 
It also adds the following registry key to the system.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run

VideoDriver = C:\Windows\videodrv.exe 

as well as 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution 
Units\{----}

What Does the MiMail.A Worm Do?

Once a computer is infected, the virus checks to see if the system is connected to the 
Internet by trying to contact google.com. If it can contact google, then the worm 
attempts to gather email addresses from the infected computer. It grabs addresses from 
all files on the system, EXCEPT files that have the following extensions: 

COM 
WAV 
CAB 
PDF 
RAR 
ZIP 
TIF 
PSD 
OCX 
VXD 
MP3 
MPG 
AVI 
DLL 
EXE 
GIF 
JPG 
BMP 
These addresses are then stored in a file named eml.tmp in the Windows directory. The 
worm has its own SMTP engine. For each email address the worms sends, it will

Look up the MX record for the domain name using the DNS server of the current host. If 
a DNS server is not found, it will default to 212.5.86.163. 
Acquire the mail server associated with that particular domain. 
Directly contact the destination server. 
How Can I Remove the MiMail.A worm?

Follow these steps in removing the MiMail worm.

1) Terminate the running program

Open the Windows Task Manager by either pressing CTRL+ALT+DEL on Win9x machines or 
CTL+Shift+Tab and clicking on the Processes tab on WinNT/2000/XP machines. 
Locate the following program, click on it and End Task or End Process 
   VIDEODRV.EXE 

Close Task Manager 
2) Remove the Registry entries

Click on Start, Run, Regedit 
In the left panel go to 
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrent VersionRun

In the right panel, right-click and delete the following entry 
VideoDriver=%Windows%\videodrv.exe

Repeat this procedure for

HKEY_LOCAL_MACHINESoftwareMicrosoftCode Store DatabaseDistribution Units 

In the right panel, locate and delete the entry: 
{----} 
Close the Registry Editor 
3) Delete the infected files (for Windows ME and XP remember to turn off System 
Restore before searching for and deleting these files to remove infected backed up 
files as well)

Click Start, point to Find or Search, and then click Files or Folders.

Make sure that Look in is set to (C:\WINDOWS).

In the Named or Search for... box, type, or copy and paste, the file names:
eml.tmp
zip.tmp 
exe.tmp

Click Find Now or Search Now.

Delete the displayed files. 
4) Reboot the computer and run a thorough virus scan using your favorite antivirus 
program.

5) Apply the patches,  MHTML exploit and  codebase exploit, to avoid viruses like this 
in the future.

For Automatic Removal of 

Re: clever virus attack (more MiMail virus info)

[Frits Wüthrich]

Yes, You are correct, one can't be too careful.

On Thu, 2004-03-04 at 16:16, Lasse Karlsson wrote:
 From: Frits Wüthrich [EMAIL PROTECTED]
  On Thu, 2004-03-04 at 06:20, Lawrence Kwan wrote:
When I opened the zip file using the password, McAfee was able to find
it and identify it as W32/[EMAIL PROTECTED]
   
   Wow, I am quite shocked that some of you would continue to open attached
   file from unknown source.  DON'T RELY ON YOUR ANTI-VIRAL PROGRAM!
   Unless you fully expected to receive such a file, JUST DELETE IT if you
   don't know what it is all about.
  I didn't open the .exe file, I opened the ZIP file, that is quite
  something different. I wouldn't dream of opening the exe file, or pif or
  scr or whatever, I don't rely on my anti virus software to stop it, I
  just wanted to find out what the virus was.
  I don't receive nor read in a Windows environment to begin with.
  So: no need to be shocked in my case.
 
 At 
 http://www.pchell.com/virus/mimail.shtml
 (where there are more removal instruction links)
 
 I found the following information, which would indicate that simply unzipping the 
 file could trigger the exe-file to automatically run and infect you:
   
 What is the MiMail.A Worm?
 MiMail.A is a mass mailing worm that arrives as a zipped attachment in an email. The 
 zip file has an html file attached. The html file message.htm takes advantage of 
 two known security vulnerabilities,   MHTML exploit and the codebase exploit. The 
 virus arrives as an email similar to:
 
 
 
 
 From: admin@current domain (The from address may be spoofed to appear that it is 
 coming from the current domain)
 
 Subject: your account [random string]
 
 Message:
 Hello there,
 I would like to inform you about important information regarding your email address. 
 This email address will be expiring. Please read attachment for details.
 
 Best regards,
 Administrator
 
 Attachment: Message.zip
 
 
 
 
 How Does MiMail.A Worm Infect My System?
 
 Once unzipped, the worm creates an exe file named foo.exe in the Temporary Internet 
 Files directory and runs it. 
 
 The following files are then created in the Windows directory
 
 videodrv.exe 
 exe.tmp  (temporary copy of message.html_ 
 zip.tmp (temporary copy of message.zip) 
 It also adds the following registry key to the system.
 
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run
 
 VideoDriver = C:\Windows\videodrv.exe 
 
 as well as 
 
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution 
 Units\{----}
 
 What Does the MiMail.A Worm Do?
 
 Once a computer is infected, the virus checks to see if the system is connected to 
 the Internet by trying to contact google.com. If it can contact google, then the 
 worm attempts to gather email addresses from the infected computer. It grabs 
 addresses from all files on the system, EXCEPT files that have the following 
 extensions: 
 
 COM 
 WAV 
 CAB 
 PDF 
 RAR 
 ZIP 
 TIF 
 PSD 
 OCX 
 VXD 
 MP3 
 MPG 
 AVI 
 DLL 
 EXE 
 GIF 
 JPG 
 BMP 
 These addresses are then stored in a file named eml.tmp in the Windows directory. 
 The worm has its own SMTP engine. For each email address the worms sends, it will
 
 Look up the MX record for the domain name using the DNS server of the current host. 
 If a DNS server is not found, it will default to 212.5.86.163. 
 Acquire the mail server associated with that particular domain. 
 Directly contact the destination server. 
 How Can I Remove the MiMail.A worm?
 
 Follow these steps in removing the MiMail worm.
 
 1) Terminate the running program
 
 Open the Windows Task Manager by either pressing CTRL+ALT+DEL on Win9x machines or 
 CTL+Shift+Tab and clicking on the Processes tab on WinNT/2000/XP machines. 
 Locate the following program, click on it and End Task or End Process 
VIDEODRV.EXE 
 
 Close Task Manager 
 2) Remove the Registry entries
 
 Click on Start, Run, Regedit 
 In the left panel go to 
 HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrent VersionRun
 
 In the right panel, right-click and delete the following entry 
 VideoDriver=%Windows%\videodrv.exe
 
 Repeat this procedure for
 
 HKEY_LOCAL_MACHINESoftwareMicrosoftCode Store DatabaseDistribution Units 
 
 In the right panel, locate and delete the entry: 
 {----} 
 Close the Registry Editor 
 3) Delete the infected files (for Windows ME and XP remember to turn off System 
 Restore before searching for and deleting these files to remove infected backed up 
 files as well)
 
 Click Start, point to Find or Search, and then click Files or Folders.
 
 Make sure that Look in is set to (C:\WINDOWS).
 
 In the Named or Search for... box, type, or copy and paste, the file names:
 eml.tmp
 zip.tmp 
 exe.tmp
 
 Click Find Now or Search Now.
 
 Delete