McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Win32.Manymize.A@mm (BitDefender)

• WORM_MANYMIZE.A (Trend)

• I-Worm.Manymize (AVP)

• W32.Manymize@mm (Symantec)

• W32/Manyme.A-mm (MessageLabs)

• W32/Manymize (Panda)

• W32/Manymize.eml

• W32/Manymize.js

• Win32.Manymize (CA)

• Worm/Manymize.A (CentralCommand)

Characteristics

AVERT has yet to receive a field sample of this threat and considers it to be a Low-Profiled risk as it has received some media attention.

This is a mass-mailing worm that exploits Microsoft vulnerabilities to propagate. It arrives in an email message containing the following information:

Subject: How are you !! (recipient address)
or Subject: My friend, (recipient address)
or Subject: Hello (recipient address)
or Subject: Dear (recipient address)
or Subject: Hi (recipient address)

Body: (Built in 4 parts, 1 phrase per part select from the following:)

Part 1
• How are you !! (recipient address)
• My friend, (recipient address)
• Hello (recipient address)
• Dear (recipient address)
• Hi (recipient address)

Part 2
• , Watch my
• , Attached is my
• , Open the
• , This is
• , See this

Part 3
• special
• amusing
• cute
• interesting
• funny

Part 4
• tape.
• clip.
• penguin.
• movie.
• video.

Attachments:

• MI2.HTM (515 bytes)
• MI2.CHM (11,373 bytes)
• MI2.WMV (19,461 bytes)
• MI2.EXE (73,728 bytes)

The virus exploits the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability to automatically open the MI2.WMV file. The .WMV file displays a short video:

The .WMV file exploits a vulnerability that allows the Windows Media Player to open the MI2.HTM file automatically. The .HTM file gives control to MI2.CHM, which then runs the MI2.EXE file. The .EXE file contains the mailing routing. The mailing routine gathers email addresses from the Windows Address Book (WAB). These recipients are sent the worm using the default SMTP server as specified in the Internet Account Manager:

• HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts

The worm also sends notification messages to randomly selected @pchome.com.tw email addresses. The subject of the messages contains the email address of the infected user.

Symptoms

Presence of the following files:

• %temp%\mi2.chm
• %temp%\mi2.exe
• %temp%\mi2.htm
• %temp%\mi2.wmv

Method of Infection

This worm exploits Microsoft vulnerabilities to automatically infected users of unpathed systems. The objective of the worm is to simply mass-mail itself. It does not install itself to load at system startup.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Win32.Manymize.A@mm (BitDefender)

• WORM_MANYMIZE.A (Trend)

• I-Worm.Manymize (AVP)

• W32.Manymize@mm (Symantec)

• W32/Manyme.A-mm (MessageLabs)

• W32/Manymize (Panda)

• W32/Manymize.eml

• W32/Manymize.js

• Win32.Manymize (CA)

• Worm/Manymize.A (CentralCommand)

Characteristics

Characteristics -

AVERT has yet to receive a field sample of this threat and considers it to be a Low-Profiled risk as it has received some media attention.

This is a mass-mailing worm that exploits Microsoft vulnerabilities to propagate. It arrives in an email message containing the following information:

Subject: How are you !! (recipient address)
or Subject: My friend, (recipient address)
or Subject: Hello (recipient address)
or Subject: Dear (recipient address)
or Subject: Hi (recipient address)

Body: (Built in 4 parts, 1 phrase per part select from the following:)

Part 1
• How are you !! (recipient address)
• My friend, (recipient address)
• Hello (recipient address)
• Dear (recipient address)
• Hi (recipient address)

Part 2
• , Watch my
• , Attached is my
• , Open the
• , This is
• , See this

Part 3
• special
• amusing
• cute
• interesting
• funny

Part 4
• tape.
• clip.
• penguin.
• movie.
• video.

Attachments:

• MI2.HTM (515 bytes)
• MI2.CHM (11,373 bytes)
• MI2.WMV (19,461 bytes)
• MI2.EXE (73,728 bytes)

The virus exploits the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability to automatically open the MI2.WMV file. The .WMV file displays a short video:

The .WMV file exploits a vulnerability that allows the Windows Media Player to open the MI2.HTM file automatically. The .HTM file gives control to MI2.CHM, which then runs the MI2.EXE file. The .EXE file contains the mailing routing. The mailing routine gathers email addresses from the Windows Address Book (WAB). These recipients are sent the worm using the default SMTP server as specified in the Internet Account Manager:

• HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts

The worm also sends notification messages to randomly selected @pchome.com.tw email addresses. The subject of the messages contains the email address of the infected user.

Symptoms

Symptoms -

Presence of the following files:

• %temp%\mi2.chm
• %temp%\mi2.exe
• %temp%\mi2.htm
• %temp%\mi2.wmv

Method of Infection

Method of Infection -

This worm exploits Microsoft vulnerabilities to automatically infected users of unpathed systems. The objective of the worm is to simply mass-mail itself. It does not install itself to load at system startup.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants -

N/A