Infection Level: High
Payload Threat Level: Low
-------------------------------------------
OVERVIEW
”Mimail.A” is a new mass-mailing worm that spreads
via E-Mail messages. IV Interceptor blocks the bogus
attachment from being opened, and if you insist on it, then
IV's SAM will kick in when the worm adds the 'videodrv.exe'
key to the startup list."Mimail.A" sends a
fake e-mail message that looks like an e-mail from the local
system administrator. The E-Mail message includes a zipped
attachment named “message.zip” that includes a
file called “message.html”. Upon opening the HTML
file, an embedded file, “foo.exe”, is executed
without any warning. The HTML file is launched in a “Local
Computer” security zone, which is the most trusted
security zone and which provides active content broader
permissions to perform potentially malicious behavior.
”Mimail.A” exploits a well-known vulnerability
in Microsoft Internet Explorer that was reported last February
by a security researcher http-equiv at malware.com.
A patch can be found at:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-014.asp
The size of the attachment is: 16kb.
Finjan Software customers are already protected from this
worm.
TECHNICAL OVERVIEW
Aliases: WORM_MIMAIL. W32.MIMAIL.A, TrojanDropper.JS.Mimail
, WORM_MIMAIL.A, W32.Mimail.A@mm, W32/Mimail
"Mimail.A” sends the following e-mail message:
From: Admin [admin@e-mail recipient's domain]
Subject: your account [name of e-mail recipient appears
here]
Importance: High
Hello there,
I would like to inform you about important information
regarding your e-mail address. This e-mail address will
be expiring. Please read attachment for details.
--- Best regards, Administrator
Attachment Name: message.zip
Attachment Size: 16Kb.
There are no other payloads aside from creating files and
changing the system registry in order to perform mass e-mailing.
Back
©Finjan Software manufacturers of Finjan Surfingate
for Web
