Content
W32/Mimail.t@MM
- Type
- Virus
- SubType
- Discovery Date
- 02/05/2004
- Length
- 13,503 bytes (zip)
14,880 bytes (exe) - Minimum DAT
- 4313 (01/07/2004)
- Updated DAT
- 5656 (06/24/2009)
- Minimum Engine
- 5.1.00
- Description Added
- 02/05/2004
- Description Modified
- 02/13/2004 2:14 AM (PT)
Tab Navigation
Characteristics
McAfee users are proactively protected against the W32/Mimail.t@MM executable when using the 4313 DAT files and scanning compressed executables (default scan option). The detection name is W32/Mimail.gen@MM.
This mass-mailing email worm was spammed to many email recipients during the initial seeding.
The worm constructs email messages using its own SMTP engine.
The spammed message is as follows:
From:
"Nancy"
Hi Gollum its Nancy., I was shocked, when I found out that it wasn't you but your twin brother!!! That's amazing, you're as like as two peas. No one in bed is better than you Gollum. I remember, I remember everything very well, that promised you to tell how it was, I'll give you a call today after 9. ... omitted ... I'm so thankful to you, for acquainted me to your brother. I think we can do it on the next Saturday all three together? What do you think? O yes, as you wanted I've made a few pictures check them out in archive, I hope they will excite you, and you will dream of our new meeting... |
Attachment :
- Fail.hta (password-protected zip file - 13,503 bytes), containing test.exe (14,880 bytes).
- Users may receive another seeding of the message containing the actual password to the ZIP file.
The worm checks to see whether there is a valid Internet connection by attempting to connect to www.google.com .
Mail Propagation
Target email addresses are harvested from files on the victim's machine. The worm ignores address extraction from files that contain the following extensions:
- avi
- bmp
- cab
- com
- dll
- exe
- gif
- jpg
- mp3
- mpg
- ocx
- psd
- rar
- tif
- vxd
- wav
- zip
Other data (RAS details, passwords, e-gold information - still under analysis) may also be harvested from the victim machine.
Denial of Service Payload
The worm attempts to cause a denial of service on the following domains, via ICMP and HTTP traffic.
- darkprofits.ws
- darkprofits.cc
- darkprofits.net
- darkprofits.com
- www.darkprofits.ws
- www.darkprofits.cc
- www.darkprofits.net
- www.darkprofits.com
Symptoms
The following files are created upon execution:
- %Windir%\Kaspersky.exe
- %Windir%\outlook.cfg - phished email addresses
- %Windir%\ ee98af.tmp
The following registry key is created to run the worm at startup:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "KasperskyAV"= %WINDIR%\Kaspersky.exe
Method of Infection
This virus spreads via email. Manually running the attachment infects the local machine
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Characteristics
Characteristics -
McAfee users are proactively protected against the W32/Mimail.t@MM executable when using the 4313 DAT files and scanning compressed executables (default scan option). The detection name is W32/Mimail.gen@MM.
This mass-mailing email worm was spammed to many email recipients during the initial seeding.
The worm constructs email messages using its own SMTP engine.
The spammed message is as follows:
From:
"Nancy"
Hi Gollum its Nancy., I was shocked, when I found out that it wasn't you but your twin brother!!! That's amazing, you're as like as two peas. No one in bed is better than you Gollum. I remember, I remember everything very well, that promised you to tell how it was, I'll give you a call today after 9. ... omitted ... I'm so thankful to you, for acquainted me to your brother. I think we can do it on the next Saturday all three together? What do you think? O yes, as you wanted I've made a few pictures check them out in archive, I hope they will excite you, and you will dream of our new meeting... |
Attachment :
- Fail.hta (password-protected zip file - 13,503 bytes), containing test.exe (14,880 bytes).
- Users may receive another seeding of the message containing the actual password to the ZIP file.
The worm checks to see whether there is a valid Internet connection by attempting to connect to www.google.com .
Mail Propagation
Target email addresses are harvested from files on the victim's machine. The worm ignores address extraction from files that contain the following extensions:
- avi
- bmp
- cab
- com
- dll
- exe
- gif
- jpg
- mp3
- mpg
- ocx
- psd
- rar
- tif
- vxd
- wav
- zip
Other data (RAS details, passwords, e-gold information - still under analysis) may also be harvested from the victim machine.
Denial of Service Payload
The worm attempts to cause a denial of service on the following domains, via ICMP and HTTP traffic.
- darkprofits.ws
- darkprofits.cc
- darkprofits.net
- darkprofits.com
- www.darkprofits.ws
- www.darkprofits.cc
- www.darkprofits.net
- www.darkprofits.com
Symptoms
Symptoms -
The following files are created upon execution:
- %Windir%\Kaspersky.exe
- %Windir%\outlook.cfg - phished email addresses
- %Windir%\ ee98af.tmp
The following registry key is created to run the worm at startup:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "KasperskyAV"= %WINDIR%\Kaspersky.exe
Method of Infection
Method of Infection -
This virus spreads via email. Manually running the attachment infects the local machine
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
