Yes, You are correct, one can't be too careful.
On Thu, 2004-03-04 at 16:16, Lasse Karlsson wrote:
> From: "Frits Wüthrich" <[EMAIL PROTECTED]>
> > On Thu, 2004-03-04 at 06:20, Lawrence Kwan wrote:
> > > > When I opened the zip file using the password, McAfee was able to find
> > > > it and identify it as W32/[EMAIL PROTECTED]
> > >
> > > Wow, I am quite shocked that some of you would continue to open attached
> > > file from unknown source. DON'T RELY ON YOUR ANTI-VIRAL PROGRAM!
> > > Unless you fully expected to receive such a file, JUST DELETE IT if you
> > > don't know what it is all about.
> > I didn't open the .exe file, I opened the ZIP file, that is quite
> > something different. I wouldn't dream of opening the exe file, or pif or
> > scr or whatever, I don't rely on my anti virus software to stop it, I
> > just wanted to find out what the virus was.
> > I don't receive nor read in a Windows environment to begin with.
> > So: no need to be shocked in my case.
>
> At
> http://www.pchell.com/virus/mimail.shtml
> (where there are more removal instruction links)
>
> I found the following information, which would indicate that simply unzipping the
> file could trigger the exe-file to automatically run and infect you:
>
> What is the MiMail.A Worm?
> MiMail.A is a mass mailing worm that arrives as a zipped attachment in an email. The
> zip file has an html file attached. The html file "message.htm" takes advantage of
> two known security vulnerabilities, MHTML exploit and the codebase exploit. The
> virus arrives as an email similar to:
>
>
> --------------------------------------------------------------------------------
>
> From: admin@<current domain> (The from address may be spoofed to appear that it is
> coming from the current domain)
>
> Subject: your account [random string]
>
> Message:
> Hello there,
> I would like to inform you about important information regarding your email address.
> This email address will be expiring. Please read attachment for details.
>
> Best regards,
> Administrator
>
> Attachment: Message.zip
>
>
> --------------------------------------------------------------------------------
>
> How Does MiMail.A Worm Infect My System?
>
> Once unzipped, the worm creates an exe file named foo.exe in the Temporary Internet
> Files directory and runs it.
>
> The following files are then created in the Windows directory
>
> videodrv.exe
> exe.tmp (temporary copy of message.html_
> zip.tmp (temporary copy of message.zip)
> It also adds the following registry key to the system.
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run
>
> "VideoDriver" = C:\Windows\videodrv.exe
>
> as well as
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution
> Units\{11111111-1111-1111-1111-111111111111}
>
> What Does the MiMail.A Worm Do?
>
> Once a computer is infected, the virus checks to see if the system is connected to
> the Internet by trying to contact google.com. If it can contact google, then the
> worm attempts to gather email addresses from the infected computer. It grabs
> addresses from all files on the system, EXCEPT files that have the following
> extensions:
>
> COM
> WAV
> CAB
> PDF
> RAR
> ZIP
> TIF
> PSD
> OCX
> VXD
> MP3
> MPG
> AVI
> DLL
> EXE
> GIF
> JPG
> BMP
> These addresses are then stored in a file named eml.tmp in the Windows directory.
> The worm has its own SMTP engine. For each email address the worms sends, it will
>
> Look up the MX record for the domain name using the DNS server of the current host.
> If a DNS server is not found, it will default to 212.5.86.163.
> Acquire the mail server associated with that particular domain.
> Directly contact the destination server.
> How Can I Remove the MiMail.A worm?
>
> Follow these steps in removing the MiMail worm.
>
> 1) Terminate the running program
>
> Open the Windows Task Manager by either pressing CTRL+ALT+DEL on Win9x machines or
> CTL+Shift+Tab and clicking on the Processes tab on WinNT/2000/XP machines.
> Locate the following program, click on it and End Task or End Process
> VIDEODRV.EXE
>
> Close Task Manager
> 2) Remove the Registry entries
>
> Click on Start, Run, Regedit
> In the left panel go to
> HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run
>
> In the right panel, right-click and delete the following entry
> "VideoDriver"="%Windows%\videodrv.exe"
>
> Repeat this procedure for
>
> HKEY_LOCAL_MACHINE>Software>Microsoft>Code Store Database>Distribution Units
>
> In the right panel, locate and delete the entry:
> {11111111-1111-1111-1111-111111111111}
> Close the Registry Editor
> 3) Delete the infected files (for Windows ME and XP remember to turn off System
> Restore before searching for and deleting these files to remove infected backed up
> files as well)
>
> Click Start, point to Find or Search, and then click Files or Folders.
>
> Make sure that "Look in" is set to (C:\WINDOWS).
>
> In the "Named" or "Search for..." box, type, or copy and paste, the file names:
> eml.tmp
> zip.tmp
> exe.tmp
>
> Click Find Now or Search Now.
>
> Delete the displayed files.
> 4) Reboot the computer and run a thorough virus scan using your favorite antivirus
> program.
>
> 5) Apply the patches, MHTML exploit and codebase exploit, to avoid viruses like
> this in the future.
>
> For Automatic Removal of MiMail.A, download the Symantec removal tool
>
>
> Lasse
>
>
--
Frits Wüthrich <[EMAIL PROTECTED]>
