McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Mimail.r (AVP)

• W32.Mimail.R@mm (Symantec)

• W32/Mimail-S (Sophos)

• W32/Mimail.Q@mm (Norman)

• W32/Mimail.S.worm (Panda)

• WORM_MIMAIL.S (Trend)

Characteristics

-- Update Feb 2, 2004 --
The threat was lowered to Low-Profiled due to a decrease in prevalence.

The worm contains its own SMTP engine to replicate itself, it also attempts to steal user's credit card information.

Email Propagation

The worm harvests email addresses from the victim's computer by appending .org, .net or .com to certain strings found in files in the directory C:\Program Files. These email addresses are then written to:

• C:\windows\outlook.cfg

The subject and body of the email message sent out is constructed from strings found in the worm body. For example:

Subject:   here is the file you asked for
Body: Hi! Here is the file you asked for!
Attachment: document.txt.scr

Similarly, filenames and extensions used for the attachment are constructed from strings found within the worm body. The attachment is BASE64 encoded. The following are the possible file extensions used:

• .pif
• .scr
• .exe
• .jpg.scr
• .jpg.pif
• .jpg.exe
• .gif.exe
• .gif.pif
• .gif.scr

Data Theft

This worm attempts to steal user's credit card information by displaying the below fake Microsoft licensing window. (image is cropped) The stolen credit card numbers are sent to email addresses found in the worm's body. The addresses are within the domains @mail15.com and @ziplip.com. The stolen information is stored in the file:

• C:\XX

Symptoms

The worm checks the credit number to ensure a dummy number is not entered else it displays the below error:

The following files are created uponing execution:

• C:\ms.hta - html
• C:\WINDOWS\outlook.cfg - phished email addresses
• C\WINDOWS\rabbit.exe - worm body
• C:\WINDOWS\x -worm body

The following registry key is created to run the worm at startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "RabbitWannaHome"= %WINDIR%\rabbit.exe
  
  

Method of Infection

This virus spreads via email.  Manually running the attachment infects the local machine

Removal

All Users :
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Stinger
Stinger  2.0.0 has been made available to assist in detecting and repairing this threat. 

McAfee Security IntruShield
McAfee Security IntruShield will detect the presence of this worm in mail utilizing two generic signatures that are part of the Default Policy:

1. SMTP: Possible Virus Attachment File with Double Extension - Looks for attachments with double extensions where the last extension is executable.

2. SMTP: Worm Detected in Attachment - Looks for attachments with an executable extension.

These detections will only be logged, unless you enable blocking of these types of extensions within your policy.

McAfee Security Threatscan
ThreatScan signatures that can detect the W32/Mimail.s@MM virus are now available from:

 ·Threatscan 2.5 - ftp.nai.com/pub/security/tsc25/updates/winnt
 ·Threatscan 2.0/2.1 - ftp.nai.com/pub/security/tsc20/updates/winnt

ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

 ·Select the "Remote Infection Detection" category and "Windows Virus Checks" template.

-or- 

 ·Select the "Other" category and "Scan All Vulnerabilities" template.

For additional information:

 ·Run the "ThreatScan Template Report"
 ·Look for module number #4062

McAfee Personal Firewall Plus  
Any attempted communication by this worm will be blocked, resulting in the following message:

You are infected by the Mimail virus. Your firewall has stopped this worm from spreading to another system and is preventing the worm owner from remotely controlling your system. However, your system remains infected. Please update your anti-virus defintions and run a full system scan. Please refer to: W32/Mimail.s@MM for more detailed information.

  Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Mimail.r (AVP)

• W32.Mimail.R@mm (Symantec)

• W32/Mimail-S (Sophos)

• W32/Mimail.Q@mm (Norman)

• W32/Mimail.S.worm (Panda)

• WORM_MIMAIL.S (Trend)

Characteristics

Characteristics -

-- Update Feb 2, 2004 --
The threat was lowered to Low-Profiled due to a decrease in prevalence.

The worm contains its own SMTP engine to replicate itself, it also attempts to steal user's credit card information.

Email Propagation

The worm harvests email addresses from the victim's computer by appending .org, .net or .com to certain strings found in files in the directory C:\Program Files. These email addresses are then written to:

• C:\windows\outlook.cfg

The subject and body of the email message sent out is constructed from strings found in the worm body. For example:

Subject:   here is the file you asked for
Body: Hi! Here is the file you asked for!
Attachment: document.txt.scr

Similarly, filenames and extensions used for the attachment are constructed from strings found within the worm body. The attachment is BASE64 encoded. The following are the possible file extensions used:

• .pif
• .scr
• .exe
• .jpg.scr
• .jpg.pif
• .jpg.exe
• .gif.exe
• .gif.pif
• .gif.scr

Data Theft

This worm attempts to steal user's credit card information by displaying the below fake Microsoft licensing window. (image is cropped) The stolen credit card numbers are sent to email addresses found in the worm's body. The addresses are within the domains @mail15.com and @ziplip.com. The stolen information is stored in the file:

• C:\XX

Symptoms

Symptoms -

The worm checks the credit number to ensure a dummy number is not entered else it displays the below error:

The following files are created uponing execution:

• C:\ms.hta - html
• C:\WINDOWS\outlook.cfg - phished email addresses
• C\WINDOWS\rabbit.exe - worm body
• C:\WINDOWS\x -worm body

The following registry key is created to run the worm at startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "RabbitWannaHome"= %WINDIR%\rabbit.exe
  
  

Method of Infection

Method of Infection -

This virus spreads via email.  Manually running the attachment infects the local machine

Removal -

Removal -

All Users :
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Stinger
Stinger  2.0.0 has been made available to assist in detecting and repairing this threat. 

McAfee Security IntruShield
McAfee Security IntruShield will detect the presence of this worm in mail utilizing two generic signatures that are part of the Default Policy:

1. SMTP: Possible Virus Attachment File with Double Extension - Looks for attachments with double extensions where the last extension is executable.

2. SMTP: Worm Detected in Attachment - Looks for attachments with an executable extension.

These detections will only be logged, unless you enable blocking of these types of extensions within your policy.

McAfee Security Threatscan
ThreatScan signatures that can detect the W32/Mimail.s@MM virus are now available from:

 ·Threatscan 2.5 - ftp.nai.com/pub/security/tsc25/updates/winnt
 ·Threatscan 2.0/2.1 - ftp.nai.com/pub/security/tsc20/updates/winnt

ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

 ·Select the "Remote Infection Detection" category and "Windows Virus Checks" template.

-or- 

 ·Select the "Other" category and "Scan All Vulnerabilities" template.

For additional information:

 ·Run the "ThreatScan Template Report"
 ·Look for module number #4062

McAfee Personal Firewall Plus  
Any attempted communication by this worm will be blocked, resulting in the following message:

You are infected by the Mimail virus. Your firewall has stopped this worm from spreading to another system and is preventing the worm owner from remotely controlling your system. However, your system remains infected. Please update your anti-virus defintions and run a full system scan. Please refer to: W32/Mimail.s@MM for more detailed information.

  Additional Windows ME/XP removal considerations

Variants

Variants -

N/A