Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Mimail.A

Win32/Mimail.A is a worm spreading in the form of a file in the attachment of an e-mail. It works in Windows 95 or newer versions of Windows operating system. Its body has a length of 17144 bytes, and it is compressed by UPX utility.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The subdirectory System or System32 placed in %windir% has a name %system%.

The worm arrives with the message having subject created using words your account and combination of randomly chosen characters, e.g. cdfcdvzd. There is a following text in the body of the message.

Hello there,

I would like to inform you about important information regarding your
email address. This email address will be expiring.
Please read attachment for details.

---
Best regards, Administrator

The attachment of the message is a file called message.zip. The worm falsifies the data regarding the message sender pretending the message is coming from administrator's account admin. The attachment message.zip contains a file message.html. This file works in such a way that the worm activates using error described at following address.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-014.asp.

After the worm is run it creates its copy called videodrv.exe in the folder %windir%. It creates also files exe.tmp and zip.tmp in the very same folder. The length of all these files is 17144 bytes. The worm assures the activation of its copy creating an item VideoDriver in the key of the system registry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run after restarting the system. It sets its value to %windir%/videodrv.exe.

The worm acquires the addresses for its spreading scanning the files on the disk avoiding the files having following extensions.

com
wav
cab
pdf
rar
zip
tif
psd
ocx
vxd
mp3
mpg
avi
dll
exe
gif
jpg
bmp

The Win32/Mimail.A saves the found addresses into the file %windir%/eml.tmp, and then sends its copies to those addresses.

NOD32 detects this worm from the version 1.473.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.