McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

-- Update 7th January 2004 --
This threat is considered to be a Low-Profiled risk due to media attention at:
http://www.techweb.com/wire/story/TWB20040107S0008

This detection is for a new variant of W32/Mimail@MM . AVERT has received samples of the mass-mailing worm (written in MSVC) both packed with UPX, and not packed.

Initial analysis shows the worm to bear the following characteristics:

• intended to construct messages using its own SMTP engine, and send them to target email addresses harvested from the victim machine
• outgoing messages are intended to bear the worm as a ZIP file attachment (PP-APP.ZIP). The message is constructed to fool the recipient into thinking it is from PayPal.
• victim details (including credit card details) are harvested from the victim machine (similarly to W32/Mimail.j@MM ).

Mail Propagation

The worm is intended to email itself to addresses found on the infected computer.  Target email addresses are harvested from files on the victim's machine. As for previous variants, target folders are determined by querying the following Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Shell Folders

Analysis is still ongoing to confirm this worm successfully replicates via mailing itself. However, messages are likely to be constructed as follows:

Subject : GREAT NEW YEAR OFFER FROM PAYPAL.COM!
Attachment : PP-APP.ZIP (contains randomly named EXE)
Body :
*** GREAT NEW YEAR OFFER FROM PAYPAL.COM ***

Dear PayPal.com Member,

We here at PayPal.com are pleased to announce that we have a special New Year offer for you!

If you currently have an account with PayPal then you will be eligible to receive a terrific prize from PayPal.com for the New Year. For a limited time only PayPal is offering to add 10% of the total balance in your PayPal account to your account and all you have to do is register yourself within the next five business days with our application (see attachment)!

If at this time you do not have a PayPal account of your own you can also register yourself with our secure application and get this great New Year bonus!  If you fill out the secure form we have provided PayPal will create an account for you (it's free) and you will receive a confirmation e-mail that your account has been created.

That's not all!  If you resend this letter (with its attachment) to all of your friends you may be eligible to receive another New Year bonus because the 1000 PayPal members that send the most of these to their friends will get the bonus.  If you are one of these 1000 lucky members then PayPal will add 17% of your total balance to your account!

Registration is simple.  Just unpack the attachment with WinZip, run the application, and follow the instructions we have provided.  If you have problems opening the application then you may want to try downloading a free version of WinZip from http://www.winzip.com

Do not miss your chance at this fantastic opportunity!  Thousands of our current customers have already received their prizes and now it's your turn; so hurry up and take advantage of this special offer!

Best of luck in the New Year,
PayPal.com Team

PayPal Scam

When the worm is run, the following window is displayed:

When this form is completed, its data is written to the following file:

• C:\TMPNY3.TXT

Next, the following window is displayed:

Data from this form is written (encrypted) to the following file:

• C:\TMPENC.TXT

Finally, a confirmation window is displayed.

Information Stealing

Victims of the PayPal scam will have their credit card information collated into files in the root of C:\ (as noted above).

TMPNY3.TXT contains credit-card details. Initial analysis suggests this is sent via email to email addresses hard-coded in the worm.

TMPENC.TXT contains DOB, address etc information (encrpyted). This data is posted via HTTP to be processed by a remote PHP script.

Other data (RAS details, passwords, e-gold information - still under analysis) may also be harvested from the victim machine. This is posted via HTTP for processing by a remote PHP script.

Symptoms

The worm installs itself into %WinDir% as WINMGR32.EXE, for example:

C:\WINNT\WINMGR32.EXE

The following Registry key is added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "WinMgr32" = %WinDir%\WINMGR32.EXE

The following files are also created (some are deleted by the worm):

• C:\TMPENC.TXT (harvested form information - see above)
• C:\TMPNY3.TXT (harvested form information - see above)
• %WinDir%\EE98AF.TMP (copy of the worm)
• %WinDir%\OUTLOOK.CFG (harvested email addresses)
• %WinDir%\ZIPZIP.TMP (ZIP archive containing the worm)

Note: %WinDir% is a variable for the Windows directory name. The worm does not use this exact name.  It simply uses the system %WinDir% directory.  

The worm checks for an active Internet connection by pinging www.google.com .

The default Internet Explorer start page is set to:

http://www.anvari.org/db/fun/World_Trade_Center/Bush_Monkey.jpg

Method of Infection

The virus spreads via email, running the executable in the ZIP attachment infects the local machine.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

-- Update 7th January 2004 --
This threat is considered to be a Low-Profiled risk due to media attention at:
http://www.techweb.com/wire/story/TWB20040107S0008

This detection is for a new variant of W32/Mimail@MM . AVERT has received samples of the mass-mailing worm (written in MSVC) both packed with UPX, and not packed.

Initial analysis shows the worm to bear the following characteristics:

• intended to construct messages using its own SMTP engine, and send them to target email addresses harvested from the victim machine
• outgoing messages are intended to bear the worm as a ZIP file attachment (PP-APP.ZIP). The message is constructed to fool the recipient into thinking it is from PayPal.
• victim details (including credit card details) are harvested from the victim machine (similarly to W32/Mimail.j@MM ).

Mail Propagation

The worm is intended to email itself to addresses found on the infected computer.  Target email addresses are harvested from files on the victim's machine. As for previous variants, target folders are determined by querying the following Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Shell Folders

Analysis is still ongoing to confirm this worm successfully replicates via mailing itself. However, messages are likely to be constructed as follows:

Subject : GREAT NEW YEAR OFFER FROM PAYPAL.COM!
Attachment : PP-APP.ZIP (contains randomly named EXE)
Body :
*** GREAT NEW YEAR OFFER FROM PAYPAL.COM ***

Dear PayPal.com Member,

We here at PayPal.com are pleased to announce that we have a special New Year offer for you!

If you currently have an account with PayPal then you will be eligible to receive a terrific prize from PayPal.com for the New Year. For a limited time only PayPal is offering to add 10% of the total balance in your PayPal account to your account and all you have to do is register yourself within the next five business days with our application (see attachment)!

If at this time you do not have a PayPal account of your own you can also register yourself with our secure application and get this great New Year bonus!  If you fill out the secure form we have provided PayPal will create an account for you (it's free) and you will receive a confirmation e-mail that your account has been created.

That's not all!  If you resend this letter (with its attachment) to all of your friends you may be eligible to receive another New Year bonus because the 1000 PayPal members that send the most of these to their friends will get the bonus.  If you are one of these 1000 lucky members then PayPal will add 17% of your total balance to your account!

Registration is simple.  Just unpack the attachment with WinZip, run the application, and follow the instructions we have provided.  If you have problems opening the application then you may want to try downloading a free version of WinZip from http://www.winzip.com

Do not miss your chance at this fantastic opportunity!  Thousands of our current customers have already received their prizes and now it's your turn; so hurry up and take advantage of this special offer!

Best of luck in the New Year,
PayPal.com Team

PayPal Scam

When the worm is run, the following window is displayed:

When this form is completed, its data is written to the following file:

• C:\TMPNY3.TXT

Next, the following window is displayed:

Data from this form is written (encrypted) to the following file:

• C:\TMPENC.TXT

Finally, a confirmation window is displayed.

Information Stealing

Victims of the PayPal scam will have their credit card information collated into files in the root of C:\ (as noted above).

TMPNY3.TXT contains credit-card details. Initial analysis suggests this is sent via email to email addresses hard-coded in the worm.

TMPENC.TXT contains DOB, address etc information (encrpyted). This data is posted via HTTP to be processed by a remote PHP script.

Other data (RAS details, passwords, e-gold information - still under analysis) may also be harvested from the victim machine. This is posted via HTTP for processing by a remote PHP script.

Symptoms

Symptoms -

The worm installs itself into %WinDir% as WINMGR32.EXE, for example:

C:\WINNT\WINMGR32.EXE

The following Registry key is added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "WinMgr32" = %WinDir%\WINMGR32.EXE

The following files are also created (some are deleted by the worm):

• C:\TMPENC.TXT (harvested form information - see above)
• C:\TMPNY3.TXT (harvested form information - see above)
• %WinDir%\EE98AF.TMP (copy of the worm)
• %WinDir%\OUTLOOK.CFG (harvested email addresses)
• %WinDir%\ZIPZIP.TMP (ZIP archive containing the worm)

Note: %WinDir% is a variable for the Windows directory name. The worm does not use this exact name.  It simply uses the system %WinDir% directory.  

The worm checks for an active Internet connection by pinging www.google.com .

The default Internet Explorer start page is set to:

http://www.anvari.org/db/fun/World_Trade_Center/Bush_Monkey.jpg

Method of Infection

Method of Infection -

The virus spreads via email, running the executable in the ZIP attachment infects the local machine.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A