[24hoursupport] Mimail.C Worm
- From: "Mike" <mikebike@xxxxxxxxx>
- To: 24hoursupport@xxxxxxxxxxxxx
- Date: Fri, 31 Oct 2003 13:54:08 -0800
Mimail.C Worm
Radar Alert LEVEL 2
NAME: Mimail.C
ALIAS: I-Worm.Mimail.c, W32/Mimail.C@mm, Mimail.C Worm_Mimail.C,
W32/Mimail-C, Mimail.C, I-Worm.Mimail.c, Bics, I-Worm.WatchNet
Summary
Mimail.C worm was first found on 31st of October, 2003. The worm spreads in
e-mails as a ZIP archive that contains the worm's executable with
PHOTOS.JPG.EXE name. The worm tries to perform a DoS (Denial of Service)
attack on certain sites and to steal information from infected computer
users.
Detailed Description
The worm's file is a PE executable 12832 bytes long packed with UPX file
compressor. The unpacked file's size is 28192 bytes.
Installation to system
When the worm's file is run, it registers itself as a service process and
becomes invisible in Task List on Windows 9x systems. The the worm copies
itself as NETWATCH.EXE file to Windows directory and creates a startup key
for this file in System Registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"NetWatch32" = "%windir%\netwatch.exe"
where %windir% is Windows directory name.
Then the worm deletes the following files from Windows folder if they are
present:
zip.tmp
exe.tmp
eml.tmp
After that the worm copies its file to Windows directory as EXE.TMP and
creates a ZIP archive with the name ZIP.TMP.
This ZIP archive contains the worm's copy with PHOTOS.JPG.EXE name.
The worm activates its payload and spreading theads if it can resolve the
'www.google.com' address.
Spreading in e-mails
The worm spreads in e-mails as a ZIP archive that contains the worm's
executable with the PHOTOS.JPG.EXE name. The worm fakes the sender's e-mail
address by composing it from 'james@' and the domain name of a recipient.
An infected message looks like that:
From:
james@recipient_domain_name
Subject:
Re[2]: our private photos <some random characters>
Body:
Hello Dear!,
Finally i've found possibility to right u, my lovely girl :)
All our photos which i've made at the beach (even when u're without ur
bh:))
photos are great! This evening i'll come and we'll make the best SEX :)
Right now enjoy the photos.
Kiss, James.
<some random characters>
Attachment:
photos.zip
The worm does not use any exploits to make its file start automatically on a
recipient's system. The worm will infect a recipient's computer only when
he/she unpacks the executable file from the archive and runs it.
To collect victim's e-mail addresses the worm scans all files on a hard
drive except those with the following extensions:
bmp
jpg
gif
exe
dll
avi
mpg
mp3
vxd
ocx
psd
tif
zip
rar
pdf
cab
wav
com
The addresses are saved into the EML.TMP file located in Windows directory.
The worm tries to contact the recipient's SMTP server directly.
For this purpose it tries to resolve the current user's DNS server and
search for SMTP server info for recipient's domain.
Payload
The worm tries to perform a DoS (Denial of Service) attack on the following
sites:
darkprofits.com
darkprofits.net
www.darkprofits.com
www.darkprofits.net
If the worm is widespread these sites may go down due to huge traffic amount
generated by the worm.
Additionally the worm checks foreground windows and if it locates a window
belonging to the certain application, the worm collects certain information
from it and saves it to C:\TMPE.TMP file. Then this file is sent to e-mail
addresses that are stored in an encrypted form in the worm's body.
From; F-SECURE
http://www.europe.f-secure.com/v-descs/bics.shtml#details
See also;
Kaspersky:
http://www.viruslist.com/eng/index.html?tnews=1001&id=324533
Panda;
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?idvirus=41
539
Symantc;
http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.c@xxxxxxx
Trend;
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL.C
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www.mwn.ca/ UPDATED 30/10/03
See my Anti-Virus pages UPDATED 31/10/03
<http://www3.telus.net/mikebike/mikes_virus_page.htm>
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance Charter Member
For a web-based membership management utility and information on list policies,
please see http://nibec.com/24hoursupport/
To unsubscribe, send a blank email to 24hoursupport-request@xxxxxxxxxxxxx with
"unsubscribe" (without quotes) in the subject.
Other related posts:
- » [24hoursupport] Mimail.C Worm
