Microsoft KB Archive/826325

= Virus Alert about the W32/Mimail@MM Virus =

Article ID: 826325

Article Last Modified on 9/27/2007

-

APPLIES TO


 * Microsoft Outlook Express 6.0
 * Microsoft Outlook Express 5.5
 * Microsoft Internet Explorer 6.0
 * Microsoft Internet Explorer 5.5
 * Microsoft Outlook 2002 Standard Edition
 * Microsoft Outlook 2000 Standard Edition

-



SUMMARY
The W32/Mimail@MM is a new e-mail worm. The Microsoft Product Support Services Security Team is issuing this alert to inform customers about this new worm. This worm appears to be spreading. Best practices, such as applying security patches, should prevent infection from this worm. Review the information and then take the appropriate action for your environment.



MORE INFORMATION
The virus is received as an e-mail attachment with the following format:

From: Admin

Subject: your account %user%

Importance: High

Hello there, I would like to inform you about important information regarding your e-mail address. This e-mail address will be expiring. Please read attachment for details.

--- Best regards, Administrator

Attachment: message.zip

The attached .zip file contains a file named Message.htm. This file automatically creates the file Foo.exe in the Temporary Internet Files folder and then runs it.

The following files are created in the Windows (%WinDir%) folder:
 * Videodrv.exe (19,824 bytes)
 * Exe.tmp (20,445 bytes)
 * Zip.tmp (20,567 bytes)

The following registry run key is created to load the worm at startup:

This key has the following value:

&quot;VideoDriver&quot; = C:\WINNT\videodrv.exe

Prevention
This worm uses a previously-announced vulnerability as part of its infection method. Because of this, make sure that your computer is patched for the vulnerability that is identified in Microsoft Security Bulletin MS03-014:

http://www.microsoft.com/technet/security/bulletin/ms03-014.mspx

Recovery
If your computer has been infected with this virus, contact Microsoft Product Support Services or contact your preferred antivirus vendor for help with removing the virus. For information about how to contact Microsoft Product Support Services, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

Related Microsoft Security Bulletins
http://www.microsoft.com/technet/security/bulletin/ms03-014.mspx

As always, make sure to use the latest antivirus detection from your antivirus vendor to detect new viruses and their variants.

For more information about this alert, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/alerts/mimail.mspx

