McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Update: 12/02/2003
This threat is considered to be a Low-Profiled risk due to media attention at:  http://www.theregister.co.uk/content/56/34299.html

This W32/Mimail@MM variant seems to be buggy.  Testing shows the virus doesn't always mail itself along with the email message, and may not send itself to harvested addresses.

The worm constructs email messages using its own SMTP engine. As with previous variants, the mailing routine queries the mail server for the domain related to the target (harvested) address. This is determined via an MX lookup on the target domain. Messages are then sent through that SMTP server.

This worm is received in an email message as follows:

From: "Wendy"
[seeded with one of the following from addresses]

billing.authorizenet.com
billing.spamcop.net
billing.carderplanet.net
billing.cardcops.com
billing.register.com
billing.spews.org
billing.spamhaus.org

Subject: Re[2]
[seeded with the following subject]

We are going to bill your credit card

Hi Greg its Wendy. I was shocked, when I found out that it wasn't you but your twin brother!!! That's amazing, you're as like as two peas. No one in bed is better than you Greg. I remember, I remember everything very well, that promised you to tell how it was, I'll give you a call today after 9. ... omitted ... I'm so thankful to you, for acquainted me to your brother. I think we can do it on the next Saturday all three together? What do you think? O yes, as you wanted I've made a few pictures check them out in archive, I hope they will excite you, and you will dream of our new meeting... Wendy.

or

Good afternoon, We are going to bill your credit card for amount of $22.95 on a weekly basis. Free pack of child porn CDs is already on the way to your billing address. If you want to cancel membership and your CD pack please email order and credit card details to security@europe.spamhaus.org Are you ready for all types of underage porn? We have the best selection for every taste! Just click the secret links below and have fun: http://www.spamhaus.org http://www.spews.org http://www.register.com http://www.cardcops.com http://www.carderplanet.net http://www.spamcop.net http://disney.go.com http://www.authorizenet.com/ Nude boys under 16! Nude girls under 16! Incest, a daddy & a daughter! We have everything you have ever dreamed for!

Attachment (one of the following):

• wendy.zip
• test.exe (may be seen via seeding of the worm)

Mail Propagation
The worm emails itself to addresses found on the infected computer.  Target email addresses are harvested from files on the victim's machine.  The worm ignores address extraction from files that contain the following extensions:

• avi
• bmp
• cab
• com
• dll
• exe
• gif
• jpg
• mp3
• mpg
• ocx
• pdf
• psd
• rar
• tif
• vxd
• wav
• zip

Target folders are determined by querying the following Registry key:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  Explorer\Shell Folders

Denial of Service Payload
The worm attempts to cause a denial of service on the following domains, via ICMP and HTTP traffic.

• www.authorizenet.com
• disney.go.com
• www.spamcop.net
• www.carderplanet.net
• www.cardcops.com
• www.register.com
• www.spews.org
• www.spamhaus.org

Symptoms

The following registry key is added to run the virus at startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "France" = %WinDir%\svchost.exe

The worm creates the following files:

• %WinDir%\x8wui12s.tmp (compressed copy of the worm)
• %WinDir%\xu298da.tmp (harvested email addresses)
• %WinDir%\svchost.exe (copy of the worm)
• %WinDir%\xu39reu.tmp (copy of the worm)

Note: %WinDir% is a variable for the Windows directory name. The worm does not use this exact name.  It simply uses the system %WinDir% directory.  

The worm checks for an active Internet connection by pinging www.register.com

Method of Infection

This virus spreads via email.  Manually running the attachment infects the local machine.

Removal

All Users :
AVERT considers this to be a low risk threat. Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

Update: 12/02/2003
This threat is considered to be a Low-Profiled risk due to media attention at:  http://www.theregister.co.uk/content/56/34299.html

This W32/Mimail@MM variant seems to be buggy.  Testing shows the virus doesn't always mail itself along with the email message, and may not send itself to harvested addresses.

The worm constructs email messages using its own SMTP engine. As with previous variants, the mailing routine queries the mail server for the domain related to the target (harvested) address. This is determined via an MX lookup on the target domain. Messages are then sent through that SMTP server.

This worm is received in an email message as follows:

From: "Wendy"
[seeded with one of the following from addresses]

billing.authorizenet.com
billing.spamcop.net
billing.carderplanet.net
billing.cardcops.com
billing.register.com
billing.spews.org
billing.spamhaus.org

Subject: Re[2]
[seeded with the following subject]

We are going to bill your credit card

Hi Greg its Wendy. I was shocked, when I found out that it wasn't you but your twin brother!!! That's amazing, you're as like as two peas. No one in bed is better than you Greg. I remember, I remember everything very well, that promised you to tell how it was, I'll give you a call today after 9. ... omitted ... I'm so thankful to you, for acquainted me to your brother. I think we can do it on the next Saturday all three together? What do you think? O yes, as you wanted I've made a few pictures check them out in archive, I hope they will excite you, and you will dream of our new meeting... Wendy.

or

Good afternoon, We are going to bill your credit card for amount of $22.95 on a weekly basis. Free pack of child porn CDs is already on the way to your billing address. If you want to cancel membership and your CD pack please email order and credit card details to security@europe.spamhaus.org Are you ready for all types of underage porn? We have the best selection for every taste! Just click the secret links below and have fun: http://www.spamhaus.org http://www.spews.org http://www.register.com http://www.cardcops.com http://www.carderplanet.net http://www.spamcop.net http://disney.go.com http://www.authorizenet.com/ Nude boys under 16! Nude girls under 16! Incest, a daddy & a daughter! We have everything you have ever dreamed for!

Attachment (one of the following):

• wendy.zip
• test.exe (may be seen via seeding of the worm)

Mail Propagation
The worm emails itself to addresses found on the infected computer.  Target email addresses are harvested from files on the victim's machine.  The worm ignores address extraction from files that contain the following extensions:

• avi
• bmp
• cab
• com
• dll
• exe
• gif
• jpg
• mp3
• mpg
• ocx
• pdf
• psd
• rar
• tif
• vxd
• wav
• zip

Target folders are determined by querying the following Registry key:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  Explorer\Shell Folders

Denial of Service Payload
The worm attempts to cause a denial of service on the following domains, via ICMP and HTTP traffic.

• www.authorizenet.com
• disney.go.com
• www.spamcop.net
• www.carderplanet.net
• www.cardcops.com
• www.register.com
• www.spews.org
• www.spamhaus.org

Symptoms

Symptoms -

The following registry key is added to run the virus at startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "France" = %WinDir%\svchost.exe

The worm creates the following files:

• %WinDir%\x8wui12s.tmp (compressed copy of the worm)
• %WinDir%\xu298da.tmp (harvested email addresses)
• %WinDir%\svchost.exe (copy of the worm)
• %WinDir%\xu39reu.tmp (copy of the worm)

Note: %WinDir% is a variable for the Windows directory name. The worm does not use this exact name.  It simply uses the system %WinDir% directory.  

The worm checks for an active Internet connection by pinging www.register.com

Method of Infection

Method of Infection -

This virus spreads via email.  Manually running the attachment infects the local machine.

Removal -

Removal -

All Users :
AVERT considers this to be a low risk threat. Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A