Win32.Mimail.Q@mm

( I-Worm.Mimail.Q )

SINTOMAS:

The following files in %windir%:
Sys32.exe, sys32.cfg
Outlook.exe, outlook.cfg
crc32.cfg
The following files in C:\\ directory:
Mshome.hta, Logo.jpg, wind.gif, logobig.gif
tmpeg2.txt
tmpgld.txt
Serv.txt
mminfo2.txt, mminfo.txt
The following registry key:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\system with value %windir%\\sys32.exe

DESCRIPCIÓN TÉCNICA:

This is an polymorphic mass mailer with backdoor capabilities.
It arrives in the following format:
From:
James2000@yahoo.com
or
%name%@%yourdomain%.%domain%
where %name% can be any name from the following list:

\"john\"
\"alex\"
\"bob\"
\"robert\"
\"admin\"
\"root\"
\"adm\"
\"michael\"
\"sex\"
\"ben\"
\"bill\"
\"freddie\"
\"brian\"
\"roger\"
\"dan\"
\"george\"
\"jack\"
\"james\"
\"kevin\"
\"paul\"
\"peter\"
\"steve\"
\"thomas\"
\"victor\"
\"anthony\"
\"rick\"

%yourdomain% is your computer domain name.
%domain% is one of the following:

.net
.com
.org

Subject and body:
A combination of words contained in the worm body.
Example:
Subject:
cool pictures just for you
Body:
Hello my darling Barbara
It’s amazing
My sister had best sex I ever seen last night with the friend of Alice
I turned on my digital hp video camera and create a lot of excellent pictures!
I beg you do not show it anybody else, deal?

Attachment:
A combination from the following words:

My, priv, private, prv, the, best, super, great, cool, wild, sex and
Pic, img, phot, photos, pctrs, images, imgs, scene, plp, act, action

with one of the following extensions:

.pif, .scr, .exe, .jpg.scr, .jpg.pif, .jpg.exe, .gif.exe, .gif.pif, .gif.scr

Example of attachment:

My_Photos.jpg.pif

It is made by 2 components:
a polimorphic dropper and the worm itself.
The dropper is the file that comes as an attachment in an infected e-mail. When the user opens the attachment the dropper polymorphs itself and copies itself to %windir%\\sys32.exe
It adds the registry key:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\system with value:%windir%\\sys32.exe
Then it drops the file outlook.exe in %windir%, it executes it and displays an error message:
\'ERROR: Bad CRC32\'

The outlook.exe is the internet worm.
After it is run it does the following:
It scans for internet services running at the infected computer and sends them
to some e-mail address.
It gathers e-mail addresses from all the files in computer except files with the
the following extensions:
com, wav, cab, pdf, rar, zip, tif, psd, ocx, vxd, mp3, mpg, avi, dll, exe, gif, jpg, bmp
It saves the e-mail addresses it finds in the following file:
%windir%\\outlook.cfg
It sends the <sys32.exe file to all the e-mail addresses it the same format it arrives.
It opens a shell on port 3000 and waits for connections.
It waits for remote connections on port 6667.
It drops the file c:\\mshome.hta and executes it.
The hta file it is used for gathering personal information. These information are then sent to some e-mail addresses
The worm also uses the following registry keys for keeping track of its progress:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\
Explorer,
Explorer2
Explorer3
Explorer4
Explorer5

The worm contains the following text:

*** GLOBAL WARNING: if any free email company or hosting company will close/filter my email/site accounts, it will be DDoS\'ed in next version. WARNING: ********* will be DDoS\'ed in next versions, coz they have closed my mimail-email account. Who next? *** visit our friendly site **************\'

INSTRUCCIONES DE LIMPIEZA:

Let BitDefender delete the infected files it finds

ANALIZADO POR:

Sorin Victor Dudea