Win32.Mimail.A@mm

( W32/Mimail.A@mm )

SYMPTOMS:

TECHNICAL DESCRIPTION:

It arrives as an e-mail in the following format:

From: admin@%domain%
where %domain% is the same domain as recipient’s domain.

Subject: Your account %randomstring%

Body:

Hello there,

I would like to inform you about important information regarding your
email address. This email address will be expiring.
Please read attachment for details.

---
Best regards, Administrator

Same %randomstring%

Attachment: Message.zip

When the user opens the attachment it will find a file named message.html. That file contains the executable worm encapsulated in a special formatted html file. The worm uses a code base exploit so when the html file is opened will drop foo.exe in Temporary Internet Files Folder, and it will execute it.

For more information about this exploit go to:
http://support.microsoft.com/default.aspx?scid=kb;en-us;330994

After foo.exe is executed the worm creates the following files:
%WINDOWS%\videodrv.exe is a copy of foo.exe file
%WINDOWS%\zip.tmp is the zipped file that will be sent as attachment when spreading.
%WINDOWS%\exe.tmp is a copy of message.html
It also creates the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\VideoDriver
with the value: %WINDOWS%\videodrv.exe

The worm uses its SMTP engine for sending the e-mails. It searches for e-mails in every file except the files with the following extensions:
com, wav, cab, pdf, rar, zip, tif, psd, ocx, vxd, mp3, mpg, avi, dll, exe, gif, jpg and bmp.

All the addresses it finds are then added to the following file:
%WINDOWS%\Eml.tmp

The worm sends itself to all email addresses has found in the same format it arrives.
NOTE: The html file inside the zip has variable size.

Removal instructions:

Win32.Mimail.A@mm can be removed using either BitDefender or the dedicated tool. Only one of these methods is sufficient for disinfection.

BitDefender can disinfect or delete automatically the files infected by this particular virus. The modified registry entries should be corrected manually.


1. If you don't have BitDefender installed click here to download an evaluation version;


2. Make sure that you have the latest updates using BitDefender Live!;


3. Make the following changes in the windows registry:
   
   Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.
   
   
   1. Select Run... from Start, then type regedit and press Enter;
   
   
   2. Delete the following key:
      HKLM\Software\Microsoft\Windows\CurrentVersion\Run\VideoDriver


4. Reboot the computer;
   


5. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.Mimail.A@mm.

The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.

Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.

The BitDefender Antimimail-en.exe tool does the following:

• it detects all the known Win32.Mimail versions;


• it deletes the files infected with Win32.Mimail;


• it kills the process from memory;


• it repairs the Windows registry.


You may also need to restore the affected files.

ANALYZED BY:

Sorin Victor DUDEA BitDefender Virus Researcher