McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Mimail.q (AVP)

• W32/Sysout.A.worm (Panda)

Characteristics

This detection is for a new variant of W32/Mimail@MM . This variant consists of a polymorphic dropper component (which is mailed) that drops another file (OUTLOOK.EXE ) that performs the mailing.

The worm bears the following characteristics:

• contains its own SMTP engine to construct outgoing messages
• the file attachment on outgoing messages is polymorphic
• target email addresses are harvested from the victim machine
• the worm 'phishes' for user information - displaying a fake 'Microsoft Windows License Expiry' notice to prompt the user for credit card (and other) information.

Proactive Detection

The mailing component (OUTLOOK.EXE ) that is dropped into %WinDir% on the victim machine is detected as W32/Mimail.gen@MM with the 4313 DATs (or greater).

The engine/DATs combination specified above will identify this component as W32/Mimail.q@MM.

Mail Propagation

The worm constructs email messages using its own SMTP engine. As with previous variants, the mailing routine queries the mail server for the domain related to the target (harvested) address. This is determined via an MX lookup on the target domain. Messages are then sent through that SMTP server.

Target email addresses are harvested from the victim machine, and written to the following file:

• %WinDir%\OUTLOOK.CFG

Email addresses are harvested from certain files on the victim machine, akin to the method used in previous variants.

Initial analysis suggests outgoing messages may be constructed as follows:

Subject & Body:

The message body and subject line are both built from pools of strings carried within the worm. This produces quite a variety of strings. For example, subject lines that may be constructed include:

• smart photos PRIVATE
• Hi my sweet Nancy ...
• sexy picture FOR YOU ONLY
• Good evening my darling Margaret

Attachment: 32,768 byte polymorphic binary, of varying filename. The filename and extension are constructed from strings carried within the worm. The following extensions may be used:

• .SCR
• .EXE
• .PIF
• .JPG.SCR
• .JPG.PIF
• .JPG.EXE
• .GIF.EXE
• .GIF.PIF
• .GIF.SCR

Data Theft

The worm displays a fake dialog window telling the victim their Microsoft Windows License has expired. A form is displayed to collect their personal data, including credit card details (image is cropped):

Data from this form is written to the following file:

• C:\MMINFO.TXT

Symptoms

• Observation of the fake error message:

'ERROR: Bad CRC32' (see below)

• Existence of the files and Registry keys detailed in the 'Method of Infection' section.

Method of Infection

1. Installation

When run on the victim machine, the worm displays the following fake error message:

It then drops a polymorphic copy of itself in the Windows directory, as SYS32.EXE. For example:

• C:\WINNT\SYS32.EXE (32,768 bytes)

The following Registry key is added to run this file at system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
Run "System" = C\%WinDir%\SYS32.EXE

A second binary (OUTLOOK.EXE) is also dropped into the Windows directory, for example:

• C:\WINNT\OUTLOOK.EXE (50,720 bytes)

This binary is executed on the victim machine.

2. Other functionality

OUTLOOK.EXE contains the main 'functionality' of the worm (as described in the Virus Characteristics section). It is this component that performs the mailing routine and displays the fake expiry window to prompt for user information.

The following files are dropped into the root of C: as part of the phishing scam:

• C:\LOGO.JPG (1,292 bytes)
• C:\LOGOBIG.GIF (948 bytes)
• C:\MSHOME.HTA (7,178 bytes) detected as W32/Mimail.hta with the specified engine/DATs
• C:\WIND.GIF (2,660 bytes)

Removal

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Mimail.q (AVP)

• W32/Sysout.A.worm (Panda)

Characteristics

Characteristics -

This detection is for a new variant of W32/Mimail@MM . This variant consists of a polymorphic dropper component (which is mailed) that drops another file (OUTLOOK.EXE ) that performs the mailing.

The worm bears the following characteristics:

• contains its own SMTP engine to construct outgoing messages
• the file attachment on outgoing messages is polymorphic
• target email addresses are harvested from the victim machine
• the worm 'phishes' for user information - displaying a fake 'Microsoft Windows License Expiry' notice to prompt the user for credit card (and other) information.

Proactive Detection

The mailing component (OUTLOOK.EXE ) that is dropped into %WinDir% on the victim machine is detected as W32/Mimail.gen@MM with the 4313 DATs (or greater).

The engine/DATs combination specified above will identify this component as W32/Mimail.q@MM.

Mail Propagation

The worm constructs email messages using its own SMTP engine. As with previous variants, the mailing routine queries the mail server for the domain related to the target (harvested) address. This is determined via an MX lookup on the target domain. Messages are then sent through that SMTP server.

Target email addresses are harvested from the victim machine, and written to the following file:

• %WinDir%\OUTLOOK.CFG

Email addresses are harvested from certain files on the victim machine, akin to the method used in previous variants.

Initial analysis suggests outgoing messages may be constructed as follows:

Subject & Body:

The message body and subject line are both built from pools of strings carried within the worm. This produces quite a variety of strings. For example, subject lines that may be constructed include:

• smart photos PRIVATE
• Hi my sweet Nancy ...
• sexy picture FOR YOU ONLY
• Good evening my darling Margaret

Attachment: 32,768 byte polymorphic binary, of varying filename. The filename and extension are constructed from strings carried within the worm. The following extensions may be used:

• .SCR
• .EXE
• .PIF
• .JPG.SCR
• .JPG.PIF
• .JPG.EXE
• .GIF.EXE
• .GIF.PIF
• .GIF.SCR

Data Theft

The worm displays a fake dialog window telling the victim their Microsoft Windows License has expired. A form is displayed to collect their personal data, including credit card details (image is cropped):

Data from this form is written to the following file:

• C:\MMINFO.TXT

Symptoms

Symptoms -

• Observation of the fake error message:

'ERROR: Bad CRC32' (see below)

• Existence of the files and Registry keys detailed in the 'Method of Infection' section.

Method of Infection

Method of Infection -

1. Installation

When run on the victim machine, the worm displays the following fake error message:

It then drops a polymorphic copy of itself in the Windows directory, as SYS32.EXE. For example:

• C:\WINNT\SYS32.EXE (32,768 bytes)

The following Registry key is added to run this file at system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
Run "System" = C\%WinDir%\SYS32.EXE

A second binary (OUTLOOK.EXE) is also dropped into the Windows directory, for example:

• C:\WINNT\OUTLOOK.EXE (50,720 bytes)

This binary is executed on the victim machine.

2. Other functionality

OUTLOOK.EXE contains the main 'functionality' of the worm (as described in the Virus Characteristics section). It is this component that performs the mailing routine and displays the fake expiry window to prompt for user information.

The following files are dropped into the root of C: as part of the phishing scam:

• C:\LOGO.JPG (1,292 bytes)
• C:\LOGOBIG.GIF (948 bytes)
• C:\MSHOME.HTA (7,178 bytes) detected as W32/Mimail.hta with the specified engine/DATs
• C:\WIND.GIF (2,660 bytes)

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A