From: "Frits Wüthrich" <[EMAIL PROTECTED]> > On Thu, 2004-03-04 at 06:20, Lawrence Kwan wrote: > > > When I opened the zip file using the password, McAfee was able to find > > > it and identify it as W32/[EMAIL PROTECTED] > > > > Wow, I am quite shocked that some of you would continue to open attached > > file from unknown source. DON'T RELY ON YOUR ANTI-VIRAL PROGRAM! > > Unless you fully expected to receive such a file, JUST DELETE IT if you > > don't know what it is all about. > I didn't open the .exe file, I opened the ZIP file, that is quite > something different. I wouldn't dream of opening the exe file, or pif or > scr or whatever, I don't rely on my anti virus software to stop it, I > just wanted to find out what the virus was. > I don't receive nor read in a Windows environment to begin with. > So: no need to be shocked in my case.
At http://www.pchell.com/virus/mimail.shtml (where there are more removal instruction links) I found the following information, which would indicate that simply unzipping the file could trigger the exe-file to automatically run and infect you: What is the MiMail.A Worm? MiMail.A is a mass mailing worm that arrives as a zipped attachment in an email. The zip file has an html file attached. The html file "message.htm" takes advantage of two known security vulnerabilities, MHTML exploit and the codebase exploit. The virus arrives as an email similar to: -------------------------------------------------------------------------------- From: admin@<current domain> (The from address may be spoofed to appear that it is coming from the current domain) Subject: your account [random string] Message: Hello there, I would like to inform you about important information regarding your email address. This email address will be expiring. Please read attachment for details. Best regards, Administrator Attachment: Message.zip -------------------------------------------------------------------------------- How Does MiMail.A Worm Infect My System? Once unzipped, the worm creates an exe file named foo.exe in the Temporary Internet Files directory and runs it. The following files are then created in the Windows directory videodrv.exe exe.tmp (temporary copy of message.html_ zip.tmp (temporary copy of message.zip) It also adds the following registry key to the system. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "VideoDriver" = C:\Windows\videodrv.exe as well as HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{11111111-1111-1111-1111-111111111111} What Does the MiMail.A Worm Do? Once a computer is infected, the virus checks to see if the system is connected to the Internet by trying to contact google.com. If it can contact google, then the worm attempts to gather email addresses from the infected computer. It grabs addresses from all files on the system, EXCEPT files that have the following extensions: COM WAV CAB PDF RAR ZIP TIF PSD OCX VXD MP3 MPG AVI DLL EXE GIF JPG BMP These addresses are then stored in a file named eml.tmp in the Windows directory. The worm has its own SMTP engine. For each email address the worms sends, it will Look up the MX record for the domain name using the DNS server of the current host. If a DNS server is not found, it will default to 212.5.86.163. Acquire the mail server associated with that particular domain. Directly contact the destination server. How Can I Remove the MiMail.A worm? Follow these steps in removing the MiMail worm. 1) Terminate the running program Open the Windows Task Manager by either pressing CTRL+ALT+DEL on Win9x machines or CTL+Shift+Tab and clicking on the Processes tab on WinNT/2000/XP machines. Locate the following program, click on it and End Task or End Process VIDEODRV.EXE Close Task Manager 2) Remove the Registry entries Click on Start, Run, Regedit In the left panel go to HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run In the right panel, right-click and delete the following entry "VideoDriver"="%Windows%\videodrv.exe" Repeat this procedure for HKEY_LOCAL_MACHINE>Software>Microsoft>Code Store Database>Distribution Units In the right panel, locate and delete the entry: {11111111-1111-1111-1111-111111111111} Close the Registry Editor 3) Delete the infected files (for Windows ME and XP remember to turn off System Restore before searching for and deleting these files to remove infected backed up files as well) Click Start, point to Find or Search, and then click Files or Folders. Make sure that "Look in" is set to (C:\WINDOWS). In the "Named" or "Search for..." box, type, or copy and paste, the file names: eml.tmp zip.tmp exe.tmp Click Find Now or Search Now. Delete the displayed files. 4) Reboot the computer and run a thorough virus scan using your favorite antivirus program. 5) Apply the patches, MHTML exploit and codebase exploit, to avoid viruses like this in the future. For Automatic Removal of MiMail.A, download the Symantec removal tool Lasse