OT: Must read for anyone who uses yahoo email - Dallas-Mavs.com Forums

WayOutWest · 08-01-2003, 06:26 PM

There is a virus being sent to alot of yahoo email accounts.

It comes from "admin@yahoo.com".

The email states that your yahoo email account is about to expire and the messages contains an attachment. I was suspicious of it and ran it through two virus checkers, Norton missed it but McAfee caught it. Don't open the email, just delete it cause even the virus checker that caught it couldn't delete it.

mavsfanforever · 08-01-2003, 06:28 PM

Actually one guy at work opened and our entire mailbox was effected. We resolved the issue.

WayOutWest · 08-01-2003, 06:34 PM

Quote:

Originally posted by: mavsfanforever
Actually one guy at work opened and our entire mailbox was effected. We resolved the issue.

What's the name of the virus and what does it do?

mavsfanforever · 08-01-2003, 06:37 PM

Quote:

Originally posted by: WayOutWest

Quote:

Originally posted by: mavsfanforever
Actually one guy at work opened and our entire mailbox was effected. We resolved the issue.

What's the name of the virus and what does it do?

I am not in desktop dept. I can find out on monday. That maybe too late.

Chiwas · 08-01-2003, 09:05 PM

I just checked and saw this message in the page of Yahoo's mail:

Today's tip: VIRUS ALERT - If you receive a message with an attachment named "message.zip" we strongly advise against opening the attachment. Delete the message immediately.

Drbio · 08-01-2003, 11:51 PM

It's not just yahoo. admin@baylor or whatever else your service is does the same thing. It's a worm.

u2sarajevo · 08-02-2003, 12:03 AM

The virus takes advantage of the exploit that was patched via MS03-014 (KB 330994). That patch was identified in WindowsUpdate as a Outlook Express patch, and is fairly new. The name of the virus is W32.Mimail.A@mm. Mcafee identifies it as Exploit-Codebase (that is the type of virus it is, but I found it odd that it calls it that). Here is info from Symantec on it:

Quote:

When W32.Mimail.A@mm is run, it does the following:

Copies itself to %Windir%\Videodrv.exe.

Adds the value:

"VideoDriver"="%Windir%\videodrv.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

so that W32.Mimail.A@mm runs when you start Windows

Uses its own SMTP server to spread by email.
The email has the following characteristics:

From: admin@<current domain> (The from address may be spoofed as if to appear its coming from the current domain)

Subject: your account %s

Message:
Hello there,
I would like to inform you about important information regarding your email address. This email address will be expiring. Please read attachment for details.

Best regards,
Administrator

Attachment: Message.zip

Message.zip contains the file, Message.htm, which uses a code base exploit to create a copy of the worm named Foo.exe in the Temporary Internet Files folder, and then runs it.

Have a virus free weekend! [img]i/expressions/face-icon-small-wink.gif[/img]

u2sarajevo · 08-02-2003, 12:07 AM

Forgot to add... if you run Mcafee VirusScan, definitions dated 4.0.4192 and higher will detect it. Norton AntiVirus defs released today will find it, the definition updates for Norton can be found here:

Norton Antivirus Updates

I am trying to get the link to Mcafee's updates, but their site is being slammed right now.

Okay... I got it, Mcafee updates below:

Mcafee Virus Definition Update