Content:

Updated: 11 August 2003

W32/Mimail.A@mm

5 August 2003

The W32/Mimail.A worm started spreading this weekend and has already gained wide distribution. Mimail.A spreads by infected attachments to e-mail messages disguised as being from the recipient's local administrator.

Recommended Reactions

We strongly recommend that users of F-Prot Antivirus products upgrade to the latest versions of F-Prot Antivirus, update their virus signature files and scan their machines. It is also necessary to patch against the vulnerabilities exploited by Mimail.A with the patch available from Microsoft's site.

Windows users using the Realtime Protector were not in any danger from Mimail.A as the Realtime Protector stopped it from executing.

Threat Description

The e-mail message is as follows:

From: admin@local-domain-name
Subject: your account :  ( + 'random characters')

Hello there,

I would like to inform you about important information regarding your
email address. This email address will be expiring.
Please read attachment for details
---
Best regards, Administrator
Attachment: message.zip

When opened, the attachment infects the computer by dropping an executable named foo.exe and running it, thereby also mailing itself to several addresses collected from the local hard drive.

Mimail.A uses a vulnerability to create a copy of the worm in the Temporary Internet Files folder, and then run it.

For information on this vulnerability and a patch visit:

http://www.microsoft.com/technet/security/bulletin/MS03-014.asp

Threat Detection

W32/Mimail.A@mm is detected and prevented from running with the latest versions of F-Prot Antivirus (released on 2 to 5 August 2003) using virus signature files dated 2 August 2003 or later.
2014 © CYRENPrivacy Statement