Content
W32/Mimail.u@MM
- Type
- Virus
- SubType
- Remote Access
- Discovery Date
- 02/13/2004
- Length
- 12,080 Bytes
- Minimum DAT
- 4324 (02/17/2004)
- Updated DAT
- 4324 (02/17/2004)
- Minimum Engine
- 5.1.00
- Description Added
- 02/13/2004
- Description Modified
- 02/13/2004 7:40 AM (PT)
Tab Navigation
Characteristics
This threat was spammed to many email recipients during the initial seeding.
The spammed message is as follows:
Your account is deleted. ---- SSGroup Support <212> 799-03-21 |
The worm checks to see whether there is a valid Internet connection by attempting to connect to the following domains:
- google.com
- yahoo.com
- demos.ru
- kernel.org
- navy.mil
It attempts to connect to several IRC servers and waiting for further commands.
Mail Harvesting
Target email addresses are harvested from files on the victim's machine and written to the following file:
- C:\cyclop.bin
Harvested addresses are sent to an email address carried within the virus. T he worm ignores address extraction from files that contain the following extensions:
- avi
- bmp
- cab
- com
- dll
- exe
- gif
- jpg
- mp3
- mpg
- ocx
- psd
- rar
- tif
- vxd
- wav
- zip
Symptoms
It copies itself as smvc32.exe to the %Windir% folder.
The following registry key is created to run the worm at startup:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "SMVC"= %WINDIR%\smvc.exe
The values 'magic' and 'socks' are added to the following registry key:
- HKEY_CURRENT_USER\Software
Presence of the file C:\cyclop.bin - contains harvested email addresses.
Method of Infection
This virus was mass-mailed, but does not spread via email. Manually running the attachment infects the local machine.
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Characteristics
Characteristics -
This threat was spammed to many email recipients during the initial seeding.
The spammed message is as follows:
Your account is deleted. ---- SSGroup Support <212> 799-03-21 |
The worm checks to see whether there is a valid Internet connection by attempting to connect to the following domains:
- google.com
- yahoo.com
- demos.ru
- kernel.org
- navy.mil
It attempts to connect to several IRC servers and waiting for further commands.
Mail Harvesting
Target email addresses are harvested from files on the victim's machine and written to the following file:
- C:\cyclop.bin
Harvested addresses are sent to an email address carried within the virus. T he worm ignores address extraction from files that contain the following extensions:
- avi
- bmp
- cab
- com
- dll
- exe
- gif
- jpg
- mp3
- mpg
- ocx
- psd
- rar
- tif
- vxd
- wav
- zip
Symptoms
Symptoms -
It copies itself as smvc32.exe to the %Windir% folder.
The following registry key is created to run the worm at startup:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "SMVC"= %WINDIR%\smvc.exe
The values 'magic' and 'socks' are added to the following registry key:
- HKEY_CURRENT_USER\Software
Presence of the file C:\cyclop.bin - contains harvested email addresses.
Method of Infection
Method of Infection -
This virus was mass-mailed, but does not spread via email. Manually running the attachment infects the local machine.
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
