Historical Documents Authorized Users of "CERT" Vulnerability Notes Database Vulnerability Disclosure Policy Courses

CERT^® Incident Note IN-2003-02

The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community.

W32/Mimail Virus

Release Date: August 2, 2003

Overview

On Friday, August 1st 2003 the CERT Coordination Center began to receive an increased number of reports of a new mass mailing virus, now referred to as W32/Mimail, spreading on the Internet.

Description

The W32/Mimail virus is a malicious file attachment containing a specially crafted MHTML file named 'message.html'. This file is delivered inside of a .ZIP archive file named 'message.zip'. Viewing the 'message.html' file on a vulnerable system will cause the malicious code to be installed and executed. The malicious code is a mass-mailer.

The email message may look like the following:

From: admin@<your domain>
Subject: <your account>             [random text]

Hello there,

I would like to inform you about important information regarding your
email address.  This email address will be expiring.
Please read attachment for details
---
Best regards,   Administrator

[random text]

The malicious code is installed and runs as %windowsroot%\videodrv.exe. The recipients are determined by scanning files in C:\Documents and Settings\{current_user}\ , C:\Program Files\ and C:\%windowsroot%\Fonts\ for the pattern %s@%s and it stores this information in %windowsroot%\eml.tmp.

Anti-virus vendors have developed signatures for W32/Mimail which can be found at:

http://www.sarc.com/avcenter/venc/data/w32.mimail.a@mm.html

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL.A

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100523

The vulnerability which makes it possible for W32/Mimail to execute automatically once the .ZIP archive is opened is described in Vulnerability Note VU#208052 and Microsoft Security Bulletin MS03-014.

According to Microsoft security bulletin MS03-014:

MHTML is a standard for exchanging HTML content in e-mail, and, as a result, the MHTML URL Handler function has been implemented in Outlook Express. Internet Explorer can also render MHTML content. However, the MHTML function has not been implemented separately in Internet Explorer - it uses Outlook Express to render the MHTML content.

Thus, the MHTML format file 'message.html' file is exploiting a vulnerability in Outlook Express, but it poses a threat to any application that uses Internet Explorer (and thus Outlook Express) to render its contents.

Solutions

Apply the patch from Microsoft

The CERT/CC encourages sites to review Microsoft Security Bulletin MS03-014 and apply the Cumulative Patch for Outlook Express (330994).

Run and maintain an anti-virus product

While an up-to-date antivirus software package cannot protect against all malicious code, for most users it remains the best first-line of defense against malicious code attacks. Users may wish to read Incident Note IN-2003-01 for more information on anti-virus software and security issues.

Most antivirus software vendors release frequently updated information, tools, or virus databases to help detect and recover from malicious code, including W32/Mimail. Therefore, it is important that users keep their antivirus software up to date. The CERT/CC maintains a partial list of antivirus vendors.

Many antivirus packages support automatic updates of virus definitions. The CERT/CC recommends using these automatic updates when available.

Do not run programs or open files of unknown origin

Email users should be wary of unexpected attachments or unusual links contained in email. Never download, install, run or open a program or file unless you know it to be authored by a person or company that you trust.

Filter the email

Sites can use email filtering techniques to delete messages known to contain this malicious code, or they can filter all attachments.

Author(s): Brian B. King, Kevin Houle

This document is available from: http://www.cert.org/incident_notes/IN-2003-02.html

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

http://www.cert.org/

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.

Conditions for use, disclaimers, and sponsorship information

Revision History
August 2, 2003: Initial Release
August 4, 2003: Corrected Microsoft patch number in Solutions section

CERT® Incident Note IN-2003-02