Details
I-Worm.Mimail.q
This is an encoded email worm from the Mimail family. It spreads via the Internet in the form of files attached to infected messages. Mimail.q has 2 components: a dropper and the worm itself. The dropper file has a unique encryption key in every message.
Dropper
The dropper is a Windows PE EXE file of approximately 32KB. It contains the main component of the worm, a file named ‘outlook.exe’ in compressed form.
On launching, the following fake error message is displayed:

The program copies itself to the Windows directory under the name sys32.exe and registers this file as a key in the system registry to enable auto-run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
“System” = “%Windir%\sys32.exe”
The program then extracts the file outlook.exe, the main component of the worm, which is copied to the Windows directory. The dropper is able to encode its body when launching, and therefore the code of all attachments sent from the computer during the current Windows session will be identical. After Windows has been restarted, the encryption key changes to a new one.
Main component
This is a Windows PE EXE file of approximately 50KB. It sends the dropper via email, contains a backdoor function, and is able to steal information.
It creates a number of keys in the Windows system registry, in order to identify its own presence in the computer:
Software\Microsoft\Windows\CurrentVersion\Explorer
Explorer2
Explorer3
Explorer4
Explorer5
Explorer
When searching for email addresses to send infected messages to, the worm does not scan files with the following extensions: .com, .wav, .cab, .pdf, .rar, .zip, .tif, .psd, .ocx, .vxd, .mp3, .mpg, .avi, .dll, .exe, .gif, .jpg and .bmp Email addresses found in other files are saved to the file outlook32.cfg and infected messages are sent to these addresses. The contents of infected messages vary, being composed using a range of parameters, e.g.

Sender’s address:
[random]
Message header:
very cool picture only for you
Message body:
Good evening my dearest [random name],
I wondered
My brother had best sex I ever seen last night togather with the boss of [random name] %-)
I switched on my samsung camera and make excellent images!
Please don’t show pictures to your bro, okay?
or another example:
Message header:
sexy photo
Message body:
Good evening Lora
I shocked
My brother had best sex last evening with the sister of Jim %-)))
But I turned on panasonic cam and create good pictures %-)
And do not show photos anybody else, I trust you.
Attachment name:
prv_photos.gif.pif (random)
Size of attachment:
32KB
The worm uses its own SMTP engine to send infected messages. To send messages directly to the recipient’s smtp server, the worm uses DNS server 212.5.86.163, as does Mimail.p
Other
The worm has a backdoor function, which opens TCP port 667 to receive commands.
It launches the command shell cmd.exe on port 3000 in order to receive and execute commands.
It attempts to open ports 80, 1433, and 1434, and if these attempts are successful, it sends information to:
advokat_2000@mail15.com
with the messages:
mssql2 open
and
mssql open
It also attempts to connect to www.google.com and if this attempt is successful, it sends information to:
hodorkovsky@mail15.com
avp@mail15.com
Additionally, if a connection to www.google.com is established, the worm launches the function which enables it to steal information from PayPal users, in exactly the same way as I-Worm.Mimail.p does. Information gathered is sent to the following addresses:
kaspersky_av@mail15.com
kasperskyeee@mail15.com
kaspersky_av@hotbox.ru
kaspersky_eee@pochta.ru
Eugene.Kaspersky@gmx.net
boris@berezovsky.cjb.net
just-for-fun@ziplip.com
In exactly the same way as Mimail.a, Mimail.b, Mimail.c and Mimail.p, the worm is able to steal user information from users of the E-Gold payment system.
The information gathered is saved in c:\tmpgld.txt and sent to addresses from the list below:
E.Kaspersky@gmx.net
kaspersky_eugene@hotbox.ru
kaspersky_eugene@mail15.com
eugene@kaspersky.com
The worm also contains the following text:
*** GLOBAL WARNING: if any free email company or hosting company will close/filter my email/site accounts, it will be DDoS’ed in next version. WARNING: centrum.cz will be DDoS’ed in next versions, coz they have closed my mimail-email account. Who next? ***
visit our friendly site www.blackgate.us

Related Posts

This entry was posted on Wednesday, December 20th, 2006 at 6:00 am and is filed under Virus Threats.

Details
I-Worm.Mimail.p

This worm spreads via the Internet in the form of files attached to infected messages.
The worm is a Windows PE EXE file of 57888 bytes.
Contents of infected messages:
Sender:
donotreply@paypal.com
Message header:
“GREAT NEW YEAR OFFER FROM PAYPAL.COM!”
Message text:
*** GREAT NEW YEAR OFFER FROM PAYPAL.COM ***

Dear PayPal.com Member,

We here at PayPal.com are pleased to announce that we have a special New Year offer for you! If you currently have an account with PayPal then you will be eligible to receive a terrific prize from PayPal.com for the New Year. For a limited time only PayPal is offering to add 10% of the total balance in your PayPal account to your account and all you have to do is register yourself within the next five business days with our application (see attachment)!

If at this time you do not have a PayPal account of your own you can also register yourself with our secure application and get this great New Year bonus! If you fill out the secure form we have provided PayPal will create an account for you (it’s free) and you will receive a confirmation e-mail that your account has been created.

That’s not all! If you resend this letter (with its attachment) to all of your friends you may be eligible to receive another New Year bonus because the 1000 PayPal members that send the most of these to their friends will get the bonus. If you are one of these 1000 lucky members then PayPal will add 17% of your total balance to your account!

Registration is simple. Just unpack the attachment with WinZip, run the application, and follow the instructions we have provided. If you have problems opening the application then you may want to try downloading a free version of WinZip from http://www.winzip.com

Do not miss your chance at this fantastic opportunity! Thousands of our current customers have already received their prizes and now it’s your turn; so hurry up and take advantage of this special offer!

Best of luck in the New Year,
PayPal.com Team
Attachment name:
pp-app.zip
The worm is activated only when the user opens the archive and runs the infected file. When this is done, the worm installs itself to the system, and begins replicating.
Installation
The worm copies itself to the Windows system directory under the name ‘Winmgr.32.exe’ and registers this file in the system registry auto-run key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
“WinMgr32″ = “%Windir%\winmgr32.exe”
In the C:\ root directory the worm creates the following files: “index.hta”, “index2.hta”, “tmpcan3.txt” and “tmpny3.txt” which are used by the dialogue boxes.
The worm also creates the files
zipzip.tmp
ee98af.tmp
in the Windows directory.
How the worm sends mail
To send infected messages the worm uses its own SMTP library. In order to send messages directly to the recipient’s smtp server, the worm makes use of DNS server 212.5.86.163
To find email addresses to send messages to, the worm looks for address lines which contain the following suffixes:
.ca
.au
.uk
.us
.edu
.gov
.mil
.de
.it
.ru
.fr
.info
.org
.net
.com
@email.msn.com
@prodigy.net
@safe-mail.net@excite.com
@zwallet.com
@erols.com
@bigpond.com
@usa.net
@bigfoot.com
@bellsouth.net
@attglobal.net
@att.net
@attbi.com
@email.it
@lycos.com
@sbcglobal.net
@shaw.ca
@themail.com
@verizon.net
@yahoo.com
@msn.com
@mail.com
@hotmail.com
@earthlink.net
@aol.com
but does not search for addresses in files with the following extensions: jpg, gif, exe, dll, avi, mpg, mp3, vxd, ocx, psd, tif, zip, rar, pdf, cab, wav, com.
Other information:
When executed, the worm displays a dialogue box on screen which asks for PayPal credit card details. Data entered is stored in ‘c:\tmpny3.txt’ and is then sent on to the author of the worm.

The worm opens port 5555 to listen for commands.
In a similar way to versions Mimail.a,Mimail.b and Mimail.c, the worm is able to steal information from E-Gold users. The worm also sends its author the following information about the infected system:
Account Name
POP3 Password2
POP3 Server
POP3 User Name
NNTP Server
NNTP User Name
SMTP Server
SMTP Display Name
SMTP Email Address
SMTP Organization Name
RAS Information
INETCOMM Server Passwords
The worm changes the home page in Internet Explorer to a link containing pictures of George Bush: http://www.anvari.org/db/fun/World_Trade_Center/Bush_Monkey.jpg.

Related Posts

This entry was posted on Wednesday, December 20th, 2006 at 4:00 am and is filed under Virus Threats.

Details
I-Worm.Mimail.j
This worm is a modification of I-Worm.Mimail.i
It spreads via the Internet as a file named InfoUpdate.exe attached to infected messages. The worm itself is a Windows PE EXE file, packed with UPX. The size of the compressed file is approximately 13KB and the size of the decompressed file is approximately 30KB.
Characteristics of infected messages:
Sender’s address:
Do_Not_Reply@paypal.com
Message header
IMPORTANT
Message body
Dear PayPal member, We regret to inform you that your account is about to be expired in next five business days. To avoid suspension of your account you have to reactivate it by providing us with your personal information.
To update your personal profile and continue using PayPal services you have to run the attached application to this email. Just run it and follow the instructions. IMPORTANT! If you ignore this alert, your account will be suspended in next five business days and you will not be able to use PayPal anymore.
Thank you for using PayPal.
Attachment name:
www.paypal.com.pif or InfoUpdate.exe
All other details, such as how the worm installs itself, manifests itself in the system and replicates are the same as I-Worm.Mimail.i

Related Posts

This entry was posted on Wednesday, December 20th, 2006 at 2:00 am and is filed under Virus Threats.

Details
I-Worm.Mimail.i
Mimail.i spreads through the Internet in the infected file attachment paypal.asp.scr. The Mimial.i worm is a Windows application file (PE EXE file) that is about 12 KB in size and compressed by UPX. The uncompressed size is about 30KB.
Infected email messages include the following content:
Sender address:
donotreply@paypal.com
Subject:
YOUR PAYPAL.COM ACCOUNT EXPIRES
Body Text:
Dear PayPal member,
PayPal would like to inform you about some important information regarding your PayPal account. This account, which is associated with this email address will be expiring within five business days. We apologize for any inconvenience that this may cause, but this is occurring because all of our customers are required to update their account settings with their personal information.
We are taking these actions because we are implementing a new security policy on our website to insure everyone’s absolute privacy. To avoid any interruption in PayPal services then you will need to run the application that we have sent with this email (see attachment) and follow the instructions. Please do not send your personal information through email, as it will not be as secure.
IMPORTANT! If you do not update your information with our secure application within the next five business days then we will be forced to deactivate your account and you will not be able to use your PayPal account any longer. It is strongly recommended that you take a few minutes out of your busy day and complete this now.
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This mail is sent by an automated message system and the reply will not be received.
Thank you for using PayPal.
Attachement:
paypal.asp.scr
The Mimail.i worm only gains control if a victim opens the file attachment.
Behaviour
Upon being launched the Mimail.i worm displays a dialogue window asking the computer user to supply PayPal credit card data. Any data entered is then kept in the file named ppinfo.sys, which is then sent to the evildoer behind the worm (the worm’s author).
Mimail.i then copies itself into the Windows catalogue under the name svchost32.exe and registers itself in the system registry auto-run key with the following entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SvcHost32 = %windir%\svchost32.exe
Mimail.i creates two files in the C: root directory - pp.gif and pp.hta. These files are used to display the dialogue window requesting PayPal credit card information.
The worm creates the following files in the Windows directory:
zp3891.tmp
ee98af.tmp
el388.tmp
Spreading
To mail out infected messages (of itself), Mimail.c uses its own SMTP engine. To detect email addresses to target, the worm searches for address strings contained in files located in the Shell Folders and Program Files directories.

Related Posts

This entry was posted on Wednesday, December 20th, 2006 at 12:00 am and is filed under Virus Threats.

Details
I-Worm.Mimail.g

This is a variant of I.Worm.Mimail.e. It is approximately 10Kb in size, and compressed using UPX. The uncompressed file is approximately 22Kb in size.
How Mimail.e differs from earlier versions

The worm copies itself to the Windows directory under the name ’sysload32.exe’ and registers this file in the system registry auto-run key:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
“SystemLoad32″ = “%windir\sysload32.exe”
Infected mails contain the following:

Sender’s address:
john@recipient domain
Message header:
don’t be late!
Message body:
Will meet tonight as we agreed, because on Wednesday I don’t think I’ll make it, so don’t be late. And yes, by the way here is the file you asked for. It’s all written there. See you.
Attachment:
readnow.zip
The attached file contains the worm under the name ‘readnow.doc.scr’

This version of the worm does not contain the function which enables it to steal E-Gold users’ information.

The worm carries out a DoS attack on the site mysupersales.com in the same way that I-Worm Mimail.c does.

Related Posts

This entry was posted on Tuesday, December 19th, 2006 at 10:00 pm and is filed under Virus Threats.

Details
I-Worm.Mimail.c
Mimail.c, also known as I-Worm.WatchNet is the latest version of a potent Internet worm that spreads via the Internet in the form of a file attachment named photos.jpg.zip sent via email. Mimail is a Windows application file (PE EXE file) with a size of about 12KB compressed by UPX. The uncompressed size is about 27KB.
Infected email messages include the following content:
Sender address:
james@recipient domain
Subject:
Re[2]: our private photos
Body Text:
Hello Dear!,
Finally i’ve found possibility to right u, my lovely girl
All our photos which i’ve made at the beach (even when u’re without ur bh:))
photos are great! This evening i’ll come and we’ll make the best SEX

Right now enjoy the photos.
Kiss, James.
Attachement:
photos.jpg.zip
(actual name is “photos.jpg.exe”)
The Mimail.c worm only gains control if a victim opens the file attachment.
Reproduction
Mimail writes its into the Windows directory under the name netwatch.exe and then registers itself in the auto-run key file in the system registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
NetWatch32 = %windir%\netwatch.exe

Mimail also creates the following files in the Windows directory:
exe.tmp
zip.tmp - a Zip archive of the worm (the compression method is ’stored’)
eml.tmp - list of email addresses detected on infected (victim) computers

To create the ZIP archive the Mimail.c worm uses its own procedure that is built into its own code.
Spreading
To mail out infected messages (of itself), Mimail.c uses its own SMTP engine. To detect email addresses to target, the worm searches for address strings in files located in the Shell Folders and Program Files directories.
Other Information
Mimail.c watches for activity from the e-gold payment system (http://www.e-gold.com) application. If this application is detected, Mimail.c records some specific data from it in the file c:\tmpe.tmp. This file is sent out to four email addresses belonging to the worm’s author.
Mimail.c executes a DDoS attack against the web sitew www.darkprofits.com and www.darkprofits.net by sending to them an endless cycle of packets of random sizes.

Related Posts

This entry was posted on Tuesday, December 19th, 2006 at 8:00 pm and is filed under Virus Threats.

Details
I-Worm.Mimail.a
Mimail.a is an internet worm spreading via infected emails. The worm itself is a Windows PE EXE file about 12KB is size when compressed by UPX, the decompressed size is about 30KB.
Infected messages contain the following text:
From: admin@%fake email address%
where %fake email address% is different every time.
Subject: your account %rnd str%
where %rnd str% is different every time.
Body:
Hello there,

I would like to inform you about important information regarding your email address. This email address will be expiring.
Please read attachment for details.

—
Best regards, Administrator
—
Attach: message.zip
The attached ZIP archive contains the “message.html” file. When opened this HTML file drops the FOO.EXE file (worm copy) into the “Downloaded Program Files” directory and runs it. To drop and execute this EXE file the worm exploits a vulnerability in Internet Explorer. This allows a Java script in the HTML file to get access to disk files without any prompts or warning messages.

Installation
During installation the worm copies itself to the Windows directory under the name “videodrv.exe” and registers this file in the system registry autorun key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
VideoDriver = %WinDir%\videodrv.exe
The worm also creates the following files in the Windows directory:
exe.tmp - worm in HTML file
zip.tmp - worm’s HTML file in ZIP archive (method “stored” - no compression).
eml.tmp - list of emails found on infected machine
To create ZIP archives the worm uses its own ZIP file format supporting routine.

Spreading
To send out infected messages the worm uses a built in SMTP engine.
To get victim email addresses the worm opens files in “Shell Folders” and “Program Files” and scans them for email-like text strings.
Other
The Mimail worm looks for the “e-gold” managing application (electronic currency, see http://www.e-gold.com), grabs information from the application form/window and stores this data in the c:\tmpe.tmp” file. This file is then sent to four email addresses that belong to the worm’s author.

Related Posts

This entry was posted on Tuesday, December 19th, 2006 at 6:00 pm and is filed under Virus Threats.