Worm Alert: Mimail
This worm that affects Windows machines arrives as an e-mail attachment
called
message.zip in a message supposedly from the
"admin" of your e-mail system. The message falsely claims that
your e-mail address "will be expiring". If the attachment is
opened, it will search the computer for any e-mail address it can
find in a variety of files so it can send out additional copies of
itself. If you do receive an e-mail with these characteristics, DO NOT
open the attachment--simply delete the e-mail.
More Details
This worm arrives in an e-mail like this, where {your e-mail
usernam} is your particular e-mail username:
From: admin@yourmailsystem
Subject: your account {your e-mail username}
Importance:
Hello there,
I would like to inform you about important information regarding your
email address. This email address will be expiring. Please read
attachment for details.
-- Best regards, Administrator
Attachment: message.zip
Once activated, the worm will create several files in the Windows
(Windows or Winnt) directory:
- videodrv.exe
- exe.tmp
- zip.tmp
The worm will then add the following entry to the registry so that the
worm runs every time Windows is started:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "VideoDriver" = C:\WINNT\videodrv.exe
Avoiding the Worm
The easiest way to avoid activating the worm is to NOT open the attachment
in the e-mail message.
If your McAfee anti-virus software is relatively up-to-date, it will
detect the worm if you attempt to open it or will remove it if you've
already open the attachment.
If your computer is infected with Mimail, you can remove it by using the
Stinger removal tool from McAfee. A link to download Stinger and
instructions on its use can be found at http://vil.nai.com/vil/stinger/
Additional Information
For further information, visit:
McAfee: http://vil.nai.com/vil/content/v_100523.htm
Symantec: http://www.symantec.com/avcenter/venc/data/w32.mimail.a@mm.html
To learn how to sign up to receive alerts via email about any new viruses
that threaten the university, click here.
To return to the previous web page, click on the Back button of your web
browser.
To return to the main VNP web page, click here.
|
