Content
W32/Mimail.m@MM
- Type
- Virus
- SubType
- Discovery Date
- 12/03/2003
- Length
- 10,914 bytes (zip)
10,784 bytes (exe) - Minimum DAT
- 4307 (12/03/2003)
- Updated DAT
- 5656 (06/24/2009)
- Minimum Engine
- 5.1.00
- Description Added
- 12/03/2003
- Description Modified
- 12/03/2003 2:58 PM (PT)
Tab Navigation
Characteristics
McAfee users are proactively protected against the W32/Mimail.m@MM executable when using the 4307 DAT files and scanning compressed executables (default scan option). The detection name is W32/Mimail.gen@MM.
This mass-mailing email worm was spammed to many email recipients during the initial seeding.
This W32/Mimail@MM variant seems to be buggy. Testing shows the virus may not send itself to harvested addresses.
The worm constructs email messages using its own SMTP engine. As with previous variants, the mailing routine queries the mail server for the domain related to the target (harvested) address. This is determined via an MX lookup on the target domain. Messages are then sent through that SMTP server.
This worm is received in an email message as follows:
[seeding may use a different name]
Subject:
Re[3] (followed by many spaces and random characters)
[seeded with the following subject]
RE:Greg
Hello Greg, I was shocked, when I found out that it wasn't you but your twin brother!!! That's amazing, you're as like as two peas. No one in bed is better than you Greg. I remember, I remember everything very well, that promised you to tell how it was, I'll give you a call today after 9. ... omitted ... I'm so thankful to you, for acquainted me to your brother. I think we can do it on the next Saturday all three together? What do you think? O yes, as you wanted I've made a few pictures check them out in archive, I hope they will excite you, and you will dream of our new meeting... Wendy. |
The seeding message also contains the following text:
For unzip archiver download WinZip: http://download.winzip.com/winzip81.exe |
Attachment (one of the following):
- wendy.zip (password-protected, may be seen via seeding of the worm)
- only_for_greg.zip (containing for_greg.jpg.exe)
Mail Propagation
The worm emails itself to addresses found on the infected computer. Target email addresses are harvested from files on the victim's machine. The worm ignores address extraction from files that contain the following extensions:
- avi
- bmp
- cab
- com
- dll
- exe
- gif
- jpg
- mp3
- mpg
- ocx
- psd
- rar
- tif
- vxd
- wav
- zip
Target folders are determined by querying the following Registry key:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Shell Folders
Denial of Service Payload
The worm attempts to cause a denial of service on the following domains, via ICMP and HTTP traffic.
- darkprofits.ws
- darkprofits.cc
- darkprofits.net
- darkprofits.com
- www.darkprofits.ws
- www.darkprofits.cc
- www.darkprofits.net
- www.darkprofits.com
Symptoms
The following registry key is added to run the virus at startup:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "NetMon" = %WinDir%\netmon.exe
The worm creates the following files:
- %WinDir%\msi2.tmp (compressed copy of the worm)
- %WinDir%\xjwu2.tmp (harvested email addresses)
- %WinDir%\netmon.exe (copy of the worm)
- %WinDir%\nji2.tmp (copy of the worm)
Note: %WinDir% is a variable for the Windows directory name. The worm does not use this exact name. It simply uses the system %WinDir% directory.
The worm checks for an active Internet connection by pinging www.register.comMethod of Infection
This virus spreads via email. Manually running the attachment infects the local machine.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Characteristics
Characteristics -
McAfee users are proactively protected against the W32/Mimail.m@MM executable when using the 4307 DAT files and scanning compressed executables (default scan option). The detection name is W32/Mimail.gen@MM.
This mass-mailing email worm was spammed to many email recipients during the initial seeding.
This W32/Mimail@MM variant seems to be buggy. Testing shows the virus may not send itself to harvested addresses.
The worm constructs email messages using its own SMTP engine. As with previous variants, the mailing routine queries the mail server for the domain related to the target (harvested) address. This is determined via an MX lookup on the target domain. Messages are then sent through that SMTP server.
This worm is received in an email message as follows:
[seeding may use a different name]
Subject:
Re[3] (followed by many spaces and random characters)
[seeded with the following subject]
RE:Greg
Hello Greg, I was shocked, when I found out that it wasn't you but your twin brother!!! That's amazing, you're as like as two peas. No one in bed is better than you Greg. I remember, I remember everything very well, that promised you to tell how it was, I'll give you a call today after 9. ... omitted ... I'm so thankful to you, for acquainted me to your brother. I think we can do it on the next Saturday all three together? What do you think? O yes, as you wanted I've made a few pictures check them out in archive, I hope they will excite you, and you will dream of our new meeting... Wendy. |
The seeding message also contains the following text:
For unzip archiver download WinZip: http://download.winzip.com/winzip81.exe |
Attachment (one of the following):
- wendy.zip (password-protected, may be seen via seeding of the worm)
- only_for_greg.zip (containing for_greg.jpg.exe)
Mail Propagation
The worm emails itself to addresses found on the infected computer. Target email addresses are harvested from files on the victim's machine. The worm ignores address extraction from files that contain the following extensions:
- avi
- bmp
- cab
- com
- dll
- exe
- gif
- jpg
- mp3
- mpg
- ocx
- psd
- rar
- tif
- vxd
- wav
- zip
Target folders are determined by querying the following Registry key:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Shell Folders
Denial of Service Payload
The worm attempts to cause a denial of service on the following domains, via ICMP and HTTP traffic.
- darkprofits.ws
- darkprofits.cc
- darkprofits.net
- darkprofits.com
- www.darkprofits.ws
- www.darkprofits.cc
- www.darkprofits.net
- www.darkprofits.com
Symptoms
Symptoms -
The following registry key is added to run the virus at startup:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "NetMon" = %WinDir%\netmon.exe
The worm creates the following files:
- %WinDir%\msi2.tmp (compressed copy of the worm)
- %WinDir%\xjwu2.tmp (harvested email addresses)
- %WinDir%\netmon.exe (copy of the worm)
- %WinDir%\nji2.tmp (copy of the worm)
Note: %WinDir% is a variable for the Windows directory name. The worm does not use this exact name. It simply uses the system %WinDir% directory.
The worm checks for an active Internet connection by pinging www.register.comMethod of Infection
Method of Infection -
This virus spreads via email. Manually running the attachment infects the local machine.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
