Win32.Mimail.M@mm

( W32/Mimail-M (Sophos) | W32.Mimail.M@mm (Symantec) )

SINTOMAS:

- Presence of the next files in %WINDOWS% folder:

netmon.exe (10,784 bytes)
nji2.tmp (10,784 bytes)
msi2.tmp (10,914 bytes)
xjwu2.tmp

- Presence of the next registry key:

[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\"NetMon\"=\"%WINDOWS%\\netmon.exe\"]


where %WINDOWS% points to Windows folder (or WinNT on Windows NT based systems)

DESCRIPCIÓN TÉCNICA:

Like all its predecessors, Win32.Mimail.M@mm spreads via e-mail.

It comes in the following e-mail format:

From: Wendy ???@???????? (the address is spoofed)
Subject: Re[3] (44 spaces) ???????? (? may be any letter)

Body:

Hello Greg,

I was shocked, when I found out that it wasn\'t you but your twin brother!!! That\'s amazing, you\'re as like as two peas. No one in bed is better than you Greg. I remember, I remember everything very well, that promised you to tell how it was, I\'ll give you a call today after 9.

He took my skirt off, then my panties, then my bra, he su**ed my tits, with the same fury you do it. He was writing alphabet on my pu**y for 20 minutes, then suddenly stopped, put me in doggy style position and stuck his dagger.But Greg, why didn\'t you warn me that his d**k is 15 inches long?? I was struck, we fu**ed whole night.

I\'m so thankful to you, for acquainted me to your brother. I think we can do it on the next Saturday all three together? What do you think? O yes, as you wanted I\'ve made a few pictures check them out in archive, I hope they will excite you, and you will dream of our new meeting...

Wendy.


Attachmet: only_for_greg.zip (containing file for_greg.jpg.exe)


Once run, the virus does the following:

- On Windows 9x/Me systems, hides its presence using RegisterServiceProcess, and thus it cannot be seen in Task Manager.
- copies itself as netmon.exe in in %WINDOWS% folder
- creates msi2.tmp (copy of only_for_greg.zip) and nji2.tmp (copy of for_greg.jpg.exe) in %WINDOWS% folder
- creates the registry key
[HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\NetMon=\"%WINDOWS%\\netmon.exe\"
- searches for e-mail addresses in files inside \"Program Files\" folder and also in files found using the registry list of folders
[HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folder] and filters out files with extension:
com wav cab pdf rar zip tif psd ocx vxd mp3 mpg avi dll exe gif jpg bmp
and stores harvested e-mail addresses in file %WINDOWS%\\xjwu2.tmp
- uses it\'s own smtp server to send itself; for each e-mail address harvested, it querries the host\'s DNS server for the domain name associated with the harvested e-mail address and attempts to send itself through that domain\'s smtp address or, if it fails, it uses the smtp address 212.5.86.163
- checks if the infected computer is connected to the internet by attempting to access www.register.com
- attempts dos attacks on (www.)darkprofits.ws, (www.)darkprofits.ws, (www.)darkprofits.com, (www.)darkprofits.net

INSTRUCCIONES DE LIMPIEZA:

Manual Removal

Open Task Manager pressing [CTRL]+[ALT]+[DEL] or [CTRL]+[SHIFT]+[ESCAPE] for Win2000/XP
use \"End Process\" on netmon.exe
delete the files netmon.exe, nji2.tmp, msi2.tmp, xjwu2.tmp from Windows folder;

open Registry Editor (click Start, Run and enter regedit)
remove the key:

[HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\NetMon]


Automatic Removal

let BitDefender delete/disinfect files found infected.

ANALIZADO POR:

Patrik Vicol
BitDefender Virus Researcher