Hosting Provided By

RE: WORM_MIMAIL.A Anyone have any info on what this does yet?

From: Butterworth, James J. EWC (C3F J39) <james.butterworth(at)c3f.navy.mil>
Date: Fri Aug 01 2003 - 19:42:30 EDT

There is a list of SMTP servers that, once infected, the virus will scan the infected system looking for valid emails, store it in "eml.tmp" C:\windows dir, and once it senses an internet connection will forward itself to everyone in the eml.tmp file via those external SMTP servers. The virus writes the following key to make sure it runs at start up: HKLM\Software\Microsoft\Windows\CurrentVersion\RunVideoDriver=C:=Windows directory\videodrv.exe

Check for:

C:\Windows\videodrv.exe (payload)
C:\Windows\eml.tmp (list of emails the payload found to send itself to)
c:\Windows\foo.exe (installation file)

r/Jim Butterworth

> -----Original Message-----
> From: Jay Woody [SMTP:jay_woody@tnb.com]
> Sent: Friday, August 01, 2003 11:54 AM
> To: incidents@securityfocus.com
> Subject: RE: WORM_MIMAIL.A Anyone have any info on what this does yet?
>
> We are just dropping everything from admin@tnb.com. This message seems

Received on Sun Aug 3 11:43:41 2003

This message: [ Message body ]
Next message: Peter Fry: "Re: RPC DCOM exploit"
Previous message: Sam Evans: "Re: WORM_MIMAIL.A Anyone have any info on what this does yet?"
Maybe in reply to: Danny: "WORM_MIMAIL.A Anyone have any info on what this does yet?"
In reply to Jay Woody: "RE: WORM_MIMAIL.A Anyone have any info on what this does yet?"
Reply: Anthony Clendenen: "RE: WORM_MIMAIL.A Anyone have any info on what this does yet?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:14 EDT