Content

W32/Mimail.e@MM

Type
Virus
SubType
E-mail worm
Discovery Date
11/01/2003
Length
10,784 bytes (EXE)
10,912 bytes (ZIP)
Minimum DAT
4301 (10/31/2003)
Updated DAT
4896 (11/15/2006)
Minimum Engine
5.1.00
Description Added
11/01/2003
Description Modified
11/01/2003 3:04 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This threat is proactively detected as W32/Mimail.gen@MM with the 4301 DAT files.  It is very similar to W32/Mimail.c@MM .

This mass-mailing worm spreads as a .ZIP file and contains a denial of service attack payload.

A summary of the virus characteristics are as follows:

  • contains it own SMTP engine for constructing messages
  • mails itself as a ZIP attachment
  • harvests email addresses from the local machine
  • sends large volume of data (garbage) to a remote server - DoS payload (see below)

Scanning of compressed files should always be enabled for optimal detection.

Mail Propagation
Target email addresses are harvested from files on the victim's machine.  The worm ignores address extraction from files that contain the following extensions:

  • avi
  • bmp
  • cab
  • com
  • dll
  • exe
  • gif
  • jpg
  • mp3
  • mpg
  • ocx
  • pdf
  • psd
  • rar
  • tif
  • vxd
  • wav
  • zip

Addresses are written to the file EML.TMP in %WinDir% (such as c:\windows). Testing shows the worm is overly lax in identifying valid email addresses - as a result messages are likely to be sent to invalid recipients.

Outgoing messages are sent using the worm's own SMTP engine. They are formatted as follows:

Subject : don't be late! (plus additional spaces then random characters)
Attachment : readnow.zip (10,912 bytes) which contains readnow.doc.scr (10,784 bytes)
Message Body :
Will meet tonight as we agreed, because on Wednesday I don't think I'll make it,

so don't be late. And yes, by the way here is the file you asked for.
It's all written there. See you.

(random characters - the same as those terminating the subject)

The 'From' address of outgoing messages may be spoofed as follows:

  • john@(target domain.com)
    • Such as
      • john@abc.com
      • john@xyz.com
      • etc

As with previous variants, the mailing routing queries the mail server for the domain related to the target (harvested) address. Messages are then sent through that SMTP server. The worm contains a hardcoded IP address (212.5.86.163).

Denial of Service
The worm sends a large amount of data to remote servers (port 80 and ICMP). The worm verifies that a connection is active by contacting www.google.com.  If successful, an attack is initiated on the following domains:

  • spews.org
  • spamhaus.org
  • spamcop.net
  • www.spews.org
  • www.spamhaus.org
  • www.spamcop.net

Symptoms

  • Presence of the file cnfrm.exe (10,784 bytes)
  • Outgoing messages matching the description above
  • Large volumes of data being sent to port 80 of a remote server

Method of Infection

When run on the victim machine, the worm installs itself into %WinDir% as cnfrm.exe. For example:

C:\WINNT\cnfrm.exe (10,784 bytes)

Three other files are also dropped into %WinDir%:

  • %WinDir%\EML.TMP - contains a list of the email addresses harvested from the victim machine
  • %WinDir%\EXE.TMP - copy of the worm
  • %WinDir%\ZIP.TMP - a ZIP archive containing the worm

System startup is hooked via the following Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "Cnfrm32" = C:\WINNT\cnfrm.exe

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • I-Worm.Mimail.e (AVP)

Characteristics

Characteristics -

This threat is proactively detected as W32/Mimail.gen@MM with the 4301 DAT files.  It is very similar to W32/Mimail.c@MM .

This mass-mailing worm spreads as a .ZIP file and contains a denial of service attack payload.

A summary of the virus characteristics are as follows:

  • contains it own SMTP engine for constructing messages
  • mails itself as a ZIP attachment
  • harvests email addresses from the local machine
  • sends large volume of data (garbage) to a remote server - DoS payload (see below)

Scanning of compressed files should always be enabled for optimal detection.

Mail Propagation
Target email addresses are harvested from files on the victim's machine.  The worm ignores address extraction from files that contain the following extensions:

  • avi
  • bmp
  • cab
  • com
  • dll
  • exe
  • gif
  • jpg
  • mp3
  • mpg
  • ocx
  • pdf
  • psd
  • rar
  • tif
  • vxd
  • wav
  • zip

Addresses are written to the file EML.TMP in %WinDir% (such as c:\windows). Testing shows the worm is overly lax in identifying valid email addresses - as a result messages are likely to be sent to invalid recipients.

Outgoing messages are sent using the worm's own SMTP engine. They are formatted as follows:

Subject : don't be late! (plus additional spaces then random characters)
Attachment : readnow.zip (10,912 bytes) which contains readnow.doc.scr (10,784 bytes)
Message Body :
Will meet tonight as we agreed, because on Wednesday I don't think I'll make it,

so don't be late. And yes, by the way here is the file you asked for.
It's all written there. See you.

(random characters - the same as those terminating the subject)

The 'From' address of outgoing messages may be spoofed as follows:

  • john@(target domain.com)
    • Such as
      • john@abc.com
      • john@xyz.com
      • etc

As with previous variants, the mailing routing queries the mail server for the domain related to the target (harvested) address. Messages are then sent through that SMTP server. The worm contains a hardcoded IP address (212.5.86.163).

Denial of Service
The worm sends a large amount of data to remote servers (port 80 and ICMP). The worm verifies that a connection is active by contacting www.google.com.  If successful, an attack is initiated on the following domains:

  • spews.org
  • spamhaus.org
  • spamcop.net
  • www.spews.org
  • www.spamhaus.org
  • www.spamcop.net

Symptoms

Symptoms -

  • Presence of the file cnfrm.exe (10,784 bytes)
  • Outgoing messages matching the description above
  • Large volumes of data being sent to port 80 of a remote server

Method of Infection

Method of Infection -

When run on the victim machine, the worm installs itself into %WinDir% as cnfrm.exe. For example:

C:\WINNT\cnfrm.exe (10,784 bytes)

Three other files are also dropped into %WinDir%:

  • %WinDir%\EML.TMP - contains a list of the email addresses harvested from the victim machine
  • %WinDir%\EXE.TMP - copy of the worm
  • %WinDir%\ZIP.TMP - a ZIP archive containing the worm

System startup is hooked via the following Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "Cnfrm32" = C:\WINNT\cnfrm.exe

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A