New Internet Virus: I-Worm.Mimail

The infected messages have the following properties:

From: : admin@%fake email address%

where %fake email address% is different.
Subject: your account %rnd str%

where %rnd str% is different.
Body:

Hello there,

I would like to inform you about important information regarding your
email address. This email address will be expiring.
Please read attachment for details.

—
Best regards, Administrator
—

Attachment:
message.zip

The attached ZIP archive contains the "message.html" file. On opening this HTML file it drops the FOO.EXE file (worm copy) to the "Downloaded Program Files" directory and runs it. To drop and execute this EXE file the worm exploits a vulnerability in Internet Explorer – it allows to a Java script in HTML file to get the access to disk files without any prompt or warning message.
Installing
While installing the worm copies itself to Windows directory with the "videodrv.exe" name and registers that file in system registry auto-run key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
VideoDriver = %WinDir%\videodrv.exe

The worm also creates following files in Windows directory:
exe.tmp – worm in HTML file
zip.tmp – worm’s HTML file in ZIP archive
(method "stored" – no compression).
eml.tmp – list of emails found on infected machine

To create ZIP archive the worm uses its own ZIP file format supporting routine.
Spreading
To send infected messages the worm uses its built-in SMTP engine.
To obtain victim email addresses the worm opens files in the "Shell Folders", "Program Files" and scans them for email-like text strings.

The worm also seems to send "random spam" messages to/from random generated email addresses, random subject and with the "c:\tmpe.tmp" file in the attach. The "tmpe.tmp" seems to contain random data.