ALERT-TSA03-010TSA 03-010 W32/Mimail@MM
- ----------------------------------------------------------------------
A new mass-mailing worm has been identified, and it has been reported that some corporations are seeing significant numbers of it in the wild. The remarkable thing about this worm is that it arrives as a .zip file, which is often permitted to pass through perimeter virus walls.
- ----------------------------------------------------------------------
Alert Type: MALICIOUS CODE ALERT
Threat Type: Malicious Code Mass Mailing Worm
TS Action Alert ID: TSA 03-010
IntelliShield ID: 6422
Version: 2
Urgency: 4 - Probable Use
Credibility: 5 - Confirmed
Severity: 3 - Mild Damage
TEP: 4 - Hot
Universal: Yes
First Published: Aug 01, 2003; 01:46 PM EDT
Last Published: Aug 01, 2003; 03:08 PM EDT
Ports: Not Available
CVE: Not Available
Version Summary
- --------------------------------------------------------------------
Multiple vendors have released virus definitions that detect WORM_MIMAIL.A.
Variants
- -----------------------------------------------------------------
Variants are unavailable.
- --------------------------------------------------------------------
Virus Name: WORM_MIMAIL.A (Aliases include Win32.Mimail.A (Computer Associates) and W32.Mimail.A@mm (Symantec).)
- ----------------------------------------------------------------------
Description
- -----------------
WORM_MIMAIL.A is a mass-mailing worm that arrives as the attachment file message.zip. When executed, the worm creates a copy of itself as the file videodrv.exe in the \%Windows% directory. WORM_MIMAIL.A also modifies a registry key so that it runs when Windows is started.
Virus definitions are available.
Impact
- -----------------
WORM_MIMAIL.A contains a mass-mailing routine that could cause network congestion.
Warning Indicators
- -----------------
The presence of the file videodrv.exe may indicate an infection.
WORM_MIMAIL.A arrives in an e-mail with the following characteristics:
Subject: your account %name%
Body: Hello there, I would like to inform you about important Information regarding your email address. This email address will be expiring. Please read attachment for details.
Best regards,
Administrator
Attachment: message.zip
The worm uses the following Simple Mail Transfer Protocol (SMTP) servers:
acm.org
alias2.acm.org
mirc.com
mx2.daemonmail.net
iglou.com
mail.iglou.com
ft.com
winamp.com
mail.winamp.com
smtp.ceruleanstudios.com
ceruleanstudios.com
The worm attempts to connect to the above SMTP servers using the following list of usernames:
admin@acm.org
jseward@acm.org
Jseward
admin@mirc.com
servers@mirc.com
Servers
admin@iglou.com
idm@iglou.com
admin@winamp.com
aus@winamp.com
Aus
admin@mirc.com
tjerk@mirc.com
admin@ceruleanstudios.com
info@ceruleanstudios.com
Info
tjerk@mirc.com
Technical Information
- -----------------
WORM_MIMAIL.A adds the value VideoDriver = “\%Windows%\videodrv.exe” to the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run
The worm arrives as a .zip file that contains a HTML file with an embedded executable. Files that possess the .zip extension are opened in the Local Security Zone, which enables the worm to execute in the same zone.
TruSecure Comments
- ---------------------------------------------------------------------
A new mass-mailing worm has been identified, and it has been reported that some corporations are seeing significant numbers of it in the wild. The remarkable thing about this worm is that it arrives as a .zip file, which is often permitted to pass through perimeter virus walls.
RISK INDICIES:
TEP Score: Hot
Threat
High - This email borne malicious code has gotten some spread in the wild.
Vulnerability Prevalence
High - Most corporate deployed AV will not detect without updating the latest signature file.
Cost
Low-Medium - There does not appear to be a destructive payload to this, however, it does send mail and is spreading.
Safeguards
- ---------------------------------------------------------------------
TruSecure recommends that administrators implement the following safeguards:
· Install the most current antivirus signatures.
· Block outbound traffic on port 25/tcp for all systems except mail servers.
· Block e-mail attachments that possess the .zip file extension until antivirus signatures are updated.
· Block e-mail based on the Subject: line of this worm.
· Instruct users to not open unexpected (.zip) files.
Patches/Software
- ---------------------------------------------------------------------
The Computer Associates Virus Threat for Win32.Mimail.A, as well as the signature and engine information, is available at the following link: Computer Associates
The McAfee Virus Description for W32/Mimail@MM is available at the following link: Virus Description. Detection is currently available in McAfee’s Daily DAT.
The Symantec Security Response for W32.Mimail.A@mm is available at the following link: Security Response. Protection has been included in virus definitions for Intelligent Updater and LiveUpdate since August 1, 2003. The latest virus definitions are available at the following link: Symantec.
The Trend Micro Virus Advisory for WORM_MIMAIL.A is available at the following link: Virus Advisory. Pattern file 597 will be available at the following link: Trend Micro. However, detection is currently available in Trend Micro’s Controlled Pattern Releases.
Product Sets
- ---------------------------------------------------------------------
The security vulnerability applies to the following combinations of products.
Primary Products:
- -----------------
[TruSecure] Action Alert: Original Release
[TruSecure] Malicious Code Alert: Original Release
Associated Products:
- --------------------
[Microsoft, Inc.] Windows 2000: Advanced Server (Base, SP1, SP2, SP3, SP4), Professional (Base, SP1, SP2, SP3, SP4), Server (Base, SP1, SP2, SP3, SP4) [Microsoft, Inc.] Windows 95: Original Release, a, b, OSR2 [Microsoft, Inc.] Windows 98: Original Release (Base, SP1), Second Edition [Microsoft, Inc.] Windows Me: Original Release [Microsoft, Inc.] Windows NT: 3.5, 3.51 (Base, SP1, SP2, SP3, SP4, SP5), 4.0 (Base, SP1, SP2, SP3, SP4, SP5, SP6a) [Microsoft, Inc.] Windows Server 2003: Datacenter Edition, Datacenter Edition, 64-bit, Enterprise Edition, Enterprise Edition, 64-bit, Standard Edition, Web Edition [Microsoft, Inc.] Windows XP: Home Edition (Base, SP1), Professional Edition (Base, SP1), Professional Edition, 64-bit (Base, SP1)
Communication:
- --------------------
Please contact your TruSecure analyst if you have any questions or if you see actual attempts to exploit this vulnerability.
TruSecure Corporation provides information security assurance services including TruSecure ®which significantly reduces the likelihood of participating companies having information security breaches in six areas of risk: Electronic (hacking and related) risk, Malicious Code risk (virus, Trojan worm and related), Privacy risk, Downtime risk, Physical risk and Human Factors risk. Visit Security Solutions for further information on these services.
Disclaimer:
- --------------------
Copyright © 2003 TruSecure Corporation. All rights reserved. This Alert is the property of the TruSecure Corporation. It may not be redistributed except within your own company or organization. This Alert is being provided for informational purposes only and is provided AS IS.” The TruSecure Corporation makes no warranties of any kind, express or implied, including, but not limited to warranties of merchantability, fitness for a particular purpose, non-infringement, and warranties arising out of any course of dealing or course of conduct.
Impenetrable security is unattainable in real world environments; the TruSecure Corporation cannot and does not guarantee protection against breaches of security.
IN NO EVENT WILL THE TRUSECURE CORPORATION BE LIABLE FOR ANY BUSINESS INTERRUPTION, LOST REVENUE, PROFITS OR DATA, OR FOR DAMAGES OF ANY KIND, HOWEVER CAUSED, ARISING OUT OF YOUR USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS WARNING, OR YOUR FAILURE TO RECEIVE ANY PRIOR OR FUTURE ALERTS, WATCHES OR WARNINGS, EVEN IF THE TRUSECURE CORPORATION HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
- ---------------------------------------------------------------
This message is intended only for the use of the intended recipient and may contain information that is PRIVILEGED and/or CONFIDENTIAL. If you are not the intended recipient, you are hereby notified that any use, dissemination, disclosure or copying of this communication is strictly prohibited. If you have received this communication in error, please destroy all copies of this message and its attachments and notify us immediately.
| 
