W32/Mimail.C !tr
Analysis
- Virus is a dropper for W32/Mimail.C-mm and is coded in VBScript with a size of 36,198 bytes
- Virus may have been spammed from a hacker or virus author as an attachment to emails
- If this virus is run or opened, it will create a file "mware.exe" onto the local system as the virus W32/Mimail.C-mm and then run this file
- W32/Mimail.C-mm uses email to propagate and distributes itself as an attachment to emails as a file named "photos.zip"
- Once W32/Mimail.C-mm is run, it will copy itself as "netwatch.exe"
to the undefinedWindowsundefined folder and modify the registry to
load this file at Windows startup -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"NetWatch32" = C:\WINNT\netwatch.exe
-
The virus will then exit and run the file "netwatch.exe" where it will run as a process in memory
-
The virus will scavenge the hard drive looking for email addresses and save them into a file named "eml.tmp" into the undefinedWindowsundefined folder
-
The virus will then construct an email in this format and send it to all users listed in the file "eml.tmp", where "undefineds" is random characters -
From: james@ (target domain listed in "eml.tmp")
X-Mailer: The Bat! (v1.62)
X-Priority: 1 (High)
Subject: Re[2]: our private photos undefineds
Body:Hello Dear!,
Finally i've found possibility to right u, my lovely girl :)
All our photos which i've made at the beach (even when u're without ur bh:))
photos are great! This evening i'll come and we'll make the best SEX :)Right now enjoy the photos.
Kiss, James.
undefineds
Content-Type: application/x-zip-compressed; name="photos.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="photos.zip"
-
The attachment "photos.zip" contains the virus file with a double extension as "photos.jpg.exe"
-
The virus will attempt to connect with an SMTP server at the IP address 212.5.86.163 (ns.lemonti.ru) in order to send its emails to others
-
The virus contains a Denial-of-Service (DoS) attack payload which is carried out against two domains that are hard coded in the virus
-
The virus will send fragmented ICMP packets and UDP datagrams in a flood attack against the domain "darkprofits.net" and "darkprofits.com" (and "www.darkprofits.net" and "www.darkprofits.com")
Recommended Action
- Terminate the process "netwatch.exe" on
an infected computer manually using Task Manager
- Delete the files "netwatch.exe", "exe.tmp"
and "zip.tmp" from the undefinedWindowsundefined folder
- Temporarily block port 80 traffic from Internal
to External (INT -> EXT) for these web addresses
-
darkprofits.net
darkprofits.com
www.darkprofits.net
www.darkprofits.com
-
Block SMTP access to these addresses -
ns.lemonti.ru
212.5.86.163
-
Add the following words to the banned words table for email -
Kiss+James
-
Configure email servers to quarantine email messages matching this pattern, and delete as necessary