Content

W32/Mimail.j@MM

Type
Virus
SubType
E-mail worm
Discovery Date
11/17/2003
Length
13,856 bytes
Minimum DAT
4304 (11/14/2003)
Updated DAT
4324 (02/17/2004)
Minimum Engine
5.1.00
Description Added
11/17/2003
Description Modified
11/18/2003 5:18 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

Update: 11/18/2003
This threat is considered to be a Low-Profiled risk due to media attention at:
http://www.theregister.co.uk/content/56/34050.html

This threat is proactively detected as W32/Mimail.gen@MM with the 4304 DAT files when scanning compressed executable (default option).

This Mimail variant attempts to steal credit card and identity information by displaying a fake PayPal message as shown below. The user's information is stored in a file named ppinfo.sys , which is sent to three mail addresses, hard-coded in the worm.

The worm constructs email messages using its own SMTP engine. As with previous variants, the mailing routine queries the mail server for the domain related to the target (harvested) address. This is determined via an MX lookup on the target domain. Messages are then sent through that SMTP server.

This worm is received in an email message as follows:

From: Do_Not_Reply@paypal.com
Subject: Important (followed by blank spaces and random characters)
[seeded with Subject:  Problems with your PayPal account.]

Dear PayPal member,

We regret to inform you that your account is about to be expired in next five business days. To avoid suspension of your account you have to reactivate it by providing us with your personal information.

To update your personal profile and continue using PayPal services you have to run the attached application to this email. Just run it and follow the instructions.

IMPORTANT! If you ignore this alert, your account will be suspended in next five business days and you will not be able to use PayPal anymore.

Thank you for using PayPal.

Attachment (one of the following):

  • www.paypal.com.pif
  • infoupdate.exe (may be seen via seeding of the worm)

When the attachment is run, the following Window is displayed:

When the Next button is pressed, another Window is displayed:

Mail Propagation
The worm emails itself to addresses found on the infected computer.  Target email addresses are harvested from files on the victim's machine.  The worm ignores address extraction from files that contain the following extensions:

  • avi
  • bmp
  • cab
  • com
  • dll
  • exe
  • gif
  • jpg
  • mp3
  • mpg
  • ocx
  • pdf
  • psd
  • rar
  • tif
  • vxd
  • wav
  • zip

Target folders are determined by querying the following Registry key:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Explorer\Shell Folders

Credit Card Information Stealing
Victims of the PayPal scam will have their credit card information collated into C:\PPINFO.SYS. The worm then attempts to send this data to three email addresses.

  • kaspersky@mail15.com
  • ekaspersky@mail15.com
  • admin@kaspersky.cjb.net

Thus, outgoing DNS queries to these servers will be issued from the victim machine.

Symptoms

The following registry key is added to run the virus at startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "SvcHost32" = %WinDir%\svchost32.exe

The worm creates the following files:

  • c:\cansend.sys
  • c:\pp.gif (paypal icon)
  • c:\pp.hta (graphical interface)
  • c:\ppinfo.sys (your credit card details)
  • %WinDir%\ee98af.tmp (copy of the worm)
  • %WinDir%\el388.tmp (harvested email addresses)
  • %WinDir%\svchost32.exe (copy of the worm)
  • %WinDir%\zp3891.tmp

Note: %WinDir% is a variable for the Windows directory name. The worm does not use this exact name.  It simply uses the system %WinDir% directory.  

The worm checks for an active Internet connection by pinging www.akamai.com

Method of Infection

This virus spreads via email.  Manually running the attachment infects the local machine.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

Update: 11/18/2003
This threat is considered to be a Low-Profiled risk due to media attention at:
http://www.theregister.co.uk/content/56/34050.html

This threat is proactively detected as W32/Mimail.gen@MM with the 4304 DAT files when scanning compressed executable (default option).

This Mimail variant attempts to steal credit card and identity information by displaying a fake PayPal message as shown below. The user's information is stored in a file named ppinfo.sys , which is sent to three mail addresses, hard-coded in the worm.

The worm constructs email messages using its own SMTP engine. As with previous variants, the mailing routine queries the mail server for the domain related to the target (harvested) address. This is determined via an MX lookup on the target domain. Messages are then sent through that SMTP server.

This worm is received in an email message as follows:

From: Do_Not_Reply@paypal.com
Subject: Important (followed by blank spaces and random characters)
[seeded with Subject:  Problems with your PayPal account.]

Dear PayPal member,

We regret to inform you that your account is about to be expired in next five business days. To avoid suspension of your account you have to reactivate it by providing us with your personal information.

To update your personal profile and continue using PayPal services you have to run the attached application to this email. Just run it and follow the instructions.

IMPORTANT! If you ignore this alert, your account will be suspended in next five business days and you will not be able to use PayPal anymore.

Thank you for using PayPal.

Attachment (one of the following):

  • www.paypal.com.pif
  • infoupdate.exe (may be seen via seeding of the worm)

When the attachment is run, the following Window is displayed:

When the Next button is pressed, another Window is displayed:

Mail Propagation
The worm emails itself to addresses found on the infected computer.  Target email addresses are harvested from files on the victim's machine.  The worm ignores address extraction from files that contain the following extensions:

  • avi
  • bmp
  • cab
  • com
  • dll
  • exe
  • gif
  • jpg
  • mp3
  • mpg
  • ocx
  • pdf
  • psd
  • rar
  • tif
  • vxd
  • wav
  • zip

Target folders are determined by querying the following Registry key:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Explorer\Shell Folders

Credit Card Information Stealing
Victims of the PayPal scam will have their credit card information collated into C:\PPINFO.SYS. The worm then attempts to send this data to three email addresses.

  • kaspersky@mail15.com
  • ekaspersky@mail15.com
  • admin@kaspersky.cjb.net

Thus, outgoing DNS queries to these servers will be issued from the victim machine.

Symptoms

Symptoms -

The following registry key is added to run the virus at startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "SvcHost32" = %WinDir%\svchost32.exe

The worm creates the following files:

  • c:\cansend.sys
  • c:\pp.gif (paypal icon)
  • c:\pp.hta (graphical interface)
  • c:\ppinfo.sys (your credit card details)
  • %WinDir%\ee98af.tmp (copy of the worm)
  • %WinDir%\el388.tmp (harvested email addresses)
  • %WinDir%\svchost32.exe (copy of the worm)
  • %WinDir%\zp3891.tmp

Note: %WinDir% is a variable for the Windows directory name. The worm does not use this exact name.  It simply uses the system %WinDir% directory.  

The worm checks for an active Internet connection by pinging www.akamai.com

Method of Infection

Method of Infection -

This virus spreads via email.  Manually running the attachment infects the local machine.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A