Mimail - A New Attack Via an Old Breach
02 Aug 2003
New fun and games from Russian virus writers
Kaspersky Lab, a leading expert in information security would like to inform you about Mimail, a new Internet worm. Our round-the-clock technical support has already heard of numerous computers infected with this new worm.
Mimail is a typical Internet worm that is spread via email. Infected mail contains a false sender address making it difficult to identify the sender and contains the following text:
your account 'number' (this is a random number)Body:
I would like to inform you about important information regarding your email address. This email address will be expiring.
Please read attachment for details.
Best regards, Administrator
Mimail is similar to other worms such as Klez and Lentin (Yaha) in that it enters using security breaches in Internet Explorer. The attachment, MESSAGE.ZIP contains another file - MESSAGE.HTML.
If the user opens MESSAGE.HTML, the built in Java script enters via Exploit.SelfExecHTML and copies itself onto disk files. It then releases a carrier-file named VIDEODRV.EXE and registers this file in the Windows autorun register. Thus, VIDEODRV.EXE is launched every time the computer is re-booted.
Mimail also creates several other files in the Windows directory: EXE.TMP - an HTML worm, ZIP.TMP an archive worm and EML.TMP - the email part.
Microsoft discovered the Exploit.SelfExecHTML problem in March 2002 and has released a special patch
for the Internet Explorer. Kaspersky Lab strongly recommends downloading this patch in order to prevent further security isssues via this breach.
The rapid spread of Mimail is a good reminder that dangerous programs are not only found in EXE files. "It is always a good idea to check all files for viruses before booting up", comments Eugene Kaspersky, founder of Kaspersky Lab and head of anti-virus research.
Mimail continues to spread by scanning separate directories on the local hard drive and. It extracts email like text strings on record and records them into EML.TEMP in the Windows directory. Mimail then uses the direct connection to the mail server to send copies of itself to these recipients.
Mimail is likely to be the work of Russian virus writers. The hackers used technology practically identical to the Trojan StartPage
, which was also written in Russia.
"We were lucky this time", notes Eugene Kaspersky, "Mimail is a relatively harmless worm with no serious side effects. The danger is that Mimail takes advantage of a vulnerability in the Internet Explorer, which provides a dangerous precedent for other virus writers and hackers.".
Security measures against Mimail can be found in the Kaspersky® Anti-Virus databases, while a more detailed description of the worm is available in the Kaspersky Virus Encyclopedia