The virus takes advantage of the exploit that was patched via MS03-014 (KB 330994). That patch was identified in WindowsUpdate as a Outlook Express patch, and is fairly new. The name of the virus is W32.Mimail.A@mm. Mcafee identifies it as Exploit-Codebase (that is the type of virus it is, but I found it odd that it calls it that). Here is info from Symantec on it:
Quote:
When W32.Mimail.A@mm is run, it does the following:
Copies itself to %Windir%\Videodrv.exe.
Adds the value:
"VideoDriver"="%Windir%\videodrv.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
so that W32.Mimail.A@mm runs when you start Windows
Uses its own SMTP server to spread by email.
The email has the following characteristics:
From: admin@<current domain> (The from address may be spoofed as if to appear its coming from the current domain)
Subject: your account %s
Message:
Hello there,
I would like to inform you about important information regarding your email address. This email address will be expiring. Please read attachment for details.
Best regards,
Administrator
Attachment: Message.zip
Message.zip contains the file, Message.htm, which uses a code base exploit to create a copy of the worm named Foo.exe in the Temporary Internet Files folder, and then runs it.
|
Have a virus free weekend! [img]i/expressions/face-icon-small-wink.gif[/img]