The email carries an attachment named message.zip. Ensconsed in the zip file is an html file named message.html. Embedded within message.html is an encrypted binary executable named foo.exe. If the html file is opened, scripts contained within the html will automatically launch (run) the embedded foo.exe file. Microsoft included a patch for the vulnerability that allows this exploit in their Microsoft Security Bulletin MS03-014. This patches an MHTML flaw within Outlook Express that renders the exploit capable. Outlook Express provides this functionality to Internet Explorer when web pages containing MHTML commands are accessed. Outlook Express does not need to be the mail client in use in order for the exploit to occur. Additionally, because the message.html file is contained within the zip file, the act of decompressing the zip places the file in the local computer zone, bypassing any protective measures afforded by better security in the Internet and/or Restricted Sites Zone.

Symptoms of infection

• FILES: Mimail copies itself to the Windows directory as VIDEODRV.EXE and adds the filename to the system registry so that it will be activated each time the system is booted. Additionally, Mimail creates three other files: EML.TMP, EXE.TMP, and ZIP.TMP.
• REGISTRY EDITS: Depending on the OS and user configuration, either the HKCU or HKLM \SOFTWARE\Microsoft\Windows\CurrentVersion\Run key is modified to include the value "VideoDriver = C:\Windows\videodrv.exe"
• Modifies the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units key modified to include the key {11111111-1111-1111-1111-111111111111}.