Infection Level: High
Payload Threat Level: Low
-------------------------------------------
OVERVIEW ”Mimail.A” is a new mass-mailing
worm that spreads via E-Mail messages. IV Interceptor blocks
the bogus attachment from being opened, and if you insist
on it, then IV's SAM will kick in when the worm adds the
'videodrv.exe' key to the startup list."Mimail.A"
sends a fake e-mail message that looks like an e-mail from
the local system administrator. The E-Mail message includes
a zipped attachment named “message.zip” that includes
a file called “message.html”. Upon opening the
HTML file, an embedded file, “foo.exe”, is executed
without any warning. The HTML file is launched in a “Local
Computer” security zone, which is the most trusted
security zone and which provides active content broader
permissions to perform potentially malicious behavior.
”Mimail.A” exploits a well-known vulnerability
in Microsoft Internet Explorer that was reported last February
by a security researcher http-equiv at malware.com.
A patch can be found at:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-014.asp
The size of the attachment is: 16kb.
Finjan Software customers are already protected from this
worm.
TECHNICAL OVERVIEW
Aliases: WORM_MIMAIL. W32.MIMAIL.A, TrojanDropper.JS.Mimail
, WORM_MIMAIL.A, W32.Mimail.A@mm, W32/Mimail
"Mimail.A” sends the following e-mail message:
From: Admin [admin@e-mail recipient's domain]
Subject: your account [name of e-mail recipient appears
here]
Importance: High
Hello there,
I would like to inform you about important information
regarding your e-mail address. This e-mail address will
be expiring. Please read attachment for details.
--- Best regards, Administrator
Attachment Name: message.zip
Attachment Size: 16Kb.
There are no other payloads aside from creating files and
changing the system registry in order to perform mass e-mailing.
Back
