- Virus is a dropper for W32/Mimail.C-mm and is coded in VBScript with a size of 36,198 bytes
- Virus may have been spammed from a hacker or virus author as an attachment to emails
- If this virus is run or opened, it will create a file "mware.exe" onto the local system as the virus W32/Mimail.C-mm and then run this file
- W32/Mimail.C-mm uses email to propagate and distributes itself as an attachment to emails as a file named "photos.zip"
- Once W32/Mimail.C-mm is run, it will copy itself as "netwatch.exe"
to the undefinedWindowsundefined folder and modify the registry to
load this file at Windows startup -
"NetWatch32" = C:\WINNT\netwatch.exe
The virus will then exit and run the file "netwatch.exe" where it will run as a process in memory
The virus will scavenge the hard drive looking for email addresses and save them into a file named "eml.tmp" into the undefinedWindowsundefined folder
The virus will then construct an email in this format and send it to all users listed in the file "eml.tmp", where "undefineds" is random characters -
From: james@ (target domain listed in "eml.tmp")
X-Mailer: The Bat! (v1.62)
X-Priority: 1 (High)
Subject: Re: our private photos undefineds
Finally i've found possibility to right u, my lovely girl :)
All our photos which i've made at the beach (even when u're without ur bh:))
photos are great! This evening i'll come and we'll make the best SEX :)
Right now enjoy the photos.
Content-Type: application/x-zip-compressed; name="photos.zip"
Content-Disposition: attachment; filename="photos.zip"
The attachment "photos.zip" contains the virus file with a double extension as "photos.jpg.exe"
The virus will attempt to connect with an SMTP server at the IP address 220.127.116.11 (ns.lemonti.ru) in order to send its emails to others
The virus contains a Denial-of-Service (DoS) attack payload which is carried out against two domains that are hard coded in the virus
The virus will send fragmented ICMP packets and UDP datagrams in a flood attack against the domain "darkprofits.net" and "darkprofits.com" (and "www.darkprofits.net" and "www.darkprofits.com")
- Terminate the process "netwatch.exe" on
an infected computer manually using Task Manager
- Delete the files "netwatch.exe", "exe.tmp"
and "zip.tmp" from the undefinedWindowsundefined folder
- Temporarily block port 80 traffic from Internal
to External (INT -> EXT) for these web addresses
Block SMTP access to these addresses -
Add the following words to the banned words table for email -
Configure email servers to quarantine email messages matching this pattern, and delete as necessary