Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


RE: WORM_MIMAIL.A Anyone have any info on what this does yet?
.

  • To: "Jay Woody" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
  • Subject: RE: WORM_MIMAIL.A Anyone have any info on what this does yet?
  • From: "Butterworth, James J. EWC (C3F J39)" <[EMAIL PROTECTED]>
  • Date: Fri, 1 Aug 2003 16:42:30 -0700
  • Thread-index: AcNYd5w6iu6azpx2QYOhP1CxQRlJPQADYkOg
  • Thread-topic: WORM_MIMAIL.A Anyone have any info on what this does yet?
.
 
There is a list of SMTP servers that, once infected, the virus will scan the infected system looking for valid emails, store it in "eml.tmp" C:\windows dir, and once it senses an internet connection will forward itself to everyone in the eml.tmp file via those external SMTP servers.  The virus writes the following key to make sure it runs at start up:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunVideoDriver=C:=Windows directory\videodrv.exe

Check for:
C:\Windows\videodrv.exe (payload)
C:\Windows\eml.tmp (list of emails the payload found to send itself to)
c:\Windows\foo.exe (installation file)

r/Jim Butterworth


> -----Original Message-----
> From:	Jay Woody [SMTP:[EMAIL PROTECTED]
> Sent:	Friday, August 01, 2003 11:54 AM
> To:	[EMAIL PROTECTED]
> Subject:	RE: WORM_MIMAIL.A Anyone have any info on what this does yet?
> 
> We are just dropping everything from [EMAIL PROTECTED]  This message seems
> to always use admin as the "From:" field and just append our company
> name to it.  We will probably also use another piece of equipment to do
> a subject line drop also.
> 
> http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100523
> 
> JayW
> 
> >>> "Schmehl, Paul L" <[EMAIL PROTECTED]> 08/01/03 01:16PM >>>
> <http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED]
> 
> .html>
> 
> We're blocking message.zip at the gateway.
> 
> Paul Schmehl ([EMAIL PROTECTED])
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/~pauls/ 
> 
> > -----Original Message-----
> > From: Danny [mailto:[EMAIL PROTECTED] 
> > Sent: Friday, August 01, 2003 12:56 PM
> > To: [EMAIL PROTECTED] 
> > Subject: WORM_MIMAIL.A Anyone have any info on what this does yet?
> > 
> > 
> > We are getting flooded with these little puppies, does anyone 
> > have any  
> > additional info on what this thing does once it infects a 
> > host? I'll be infecting a box to test myself after i send 
> > this email but if  
> > anyone has done testing already it would great to hear your input.
> 
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------
> 
> 
> 
> 
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------
> 

---------------------------------------------------------------------------
----------------------------------------------------------------------------
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.