Virus

W32/Mimail.C !tr

Analysis

  • Virus is a dropper for W32/Mimail.C-mm and is coded in VBScript with a size of 36,198 bytes
  • Virus may have been spammed from a hacker or virus author as an attachment to emails
  • If this virus is run or opened, it will create a file "mware.exe" onto the local system as the virus W32/Mimail.C-mm and then run this file
  • W32/Mimail.C-mm uses email to propagate and distributes itself as an attachment to emails as a file named "photos.zip"
  • Once W32/Mimail.C-mm is run, it will copy itself as "netwatch.exe" to the undefinedWindowsundefined folder and modify the registry to load this file at Windows startup -

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    "NetWatch32" = C:\WINNT\netwatch.exe

  • The virus will then exit and run the file "netwatch.exe" where it will run as a process in memory

  • The virus will scavenge the hard drive looking for email addresses and save them into a file named "eml.tmp" into the undefinedWindowsundefined folder

  • The virus will then construct an email in this format and send it to all users listed in the file "eml.tmp", where "undefineds" is random characters -

    From: james@ (target domain listed in "eml.tmp")
    X-Mailer: The Bat! (v1.62)
    X-Priority: 1 (High)
    Subject: Re[2]: our private photos undefineds
    Body:

    Hello Dear!,

    Finally i've found possibility to right u, my lovely girl :)
    All our photos which i've made at the beach (even when u're without ur bh:))
    photos are great! This evening i'll come and we'll make the best SEX :)

    Right now enjoy the photos.
    Kiss, James.
    undefineds
    Content-Type: application/x-zip-compressed; name="photos.zip"
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment; filename="photos.zip"

  • The attachment "photos.zip" contains the virus file with a double extension as "photos.jpg.exe"

  • The virus will attempt to connect with an SMTP server at the IP address 212.5.86.163 (ns.lemonti.ru) in order to send its emails to others

  • The virus contains a Denial-of-Service (DoS) attack payload which is carried out against two domains that are hard coded in the virus

  • The virus will send fragmented ICMP packets and UDP datagrams in a flood attack against the domain "darkprofits.net" and "darkprofits.com" (and "www.darkprofits.net" and "www.darkprofits.com")

Recommended Action

  • Terminate the process "netwatch.exe" on an infected computer manually using Task Manager
  • Delete the files "netwatch.exe", "exe.tmp" and "zip.tmp" from the undefinedWindowsundefined folder
  • Temporarily block port 80 traffic from Internal to External (INT -> EXT) for these web addresses -

    darkprofits.net
    darkprofits.com
    www.darkprofits.net
    www.darkprofits.com

  • Block SMTP access to these addresses -

    ns.lemonti.ru
    212.5.86.163

  • Add the following words to the banned words table for email -
    Kiss+James

  • Configure email servers to quarantine email messages matching this pattern, and delete as necessary