| Description:
|
Details
I-Worm.Mimail.q
This is an encoded email worm from the Mimail family. It spreads via the Internet in the form of files attached to infected messages. Mimail.q has 2 components: a dropper and the worm itself. The dropper file has a unique encryption key in every message.
Dropper
The dropper is a Windows PE EXE file of approximately 32KB. It contains the main component of the worm, a file named 'outlook.exe' in compressed form.
On launching, the following fake error message is displayed:
The program copies itself to the Windows directory under the name sys32.exe and registers this file as a key in the system registry to enable auto-run
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
"System" = "%Windir%sys32.exe"
The program then extracts the file outlook.exe, the main component of the worm, which is copied to the Windows directory. The dropper is able to encode its body when launching, and therefore the code of all attachments sent from the computer during the current Windows session will be identical. After Windows has been restarted, the encryption key changes to a new one.
Main component
This is a Windows PE EXE file of approximately 50KB. It sends the dropper via email, contains a backdoor function, and is able to steal information.
It creates a number of keys in the Windows system registry, in order to identify its own presence in the computer:
SoftwareMicrosoftWindowsCurrentVersionExplorer
Explorer2
Explorer3
Explorer4
Explorer5
Explorer
When searching for email addresses to send infected messages to, the worm does not scan files with the following extensions: .com, .wav, .cab, .pdf, .rar, .zip, .tif, .psd, .ocx, .vxd, .mp3, .mpg, .avi, .dll, .exe, .gif, .jpg and .bmp Email addresses found in other files are saved to the file outlook32.cfg and infected messages are sent to these addresses. The contents of infected messages vary, being composed using a range of parameters, e.g.
Sender's address:
[random]
Message header:
very cool picture only for you
Message body:
Good evening my dearest [random name],
I wondered
My brother had best sex I ever seen last night togather with the boss of [random name] %-)
I switched on my samsung camera and make excellent images!
Please don't show pictures to your bro, okay?
or another example:
Message header:
sexy photo
Message body:
Good evening Lora
I shocked
My brother had best sex last evening with the sister of Jim %-)))
But I turned on panasonic cam and create good pictures %-)
And do not show photos anybody else, I trust you.
Attachment name:
prv_photos.gif.pif (random)
Size of attachment:
32KB
The worm uses its own SMTP engine to send infected messages. To send messages directly to the recipient's smtp server, the worm uses DNS server 212.5.86.163, as does Mimail.p
Other
The worm has a backdoor function, which opens TCP port 667 to receive commands.
It launches the command shell cmd.exe on port 3000 in order to receive and execute commands.
It attempts to open ports 80, 1433, and 1434, and if these attempts are successful, it sends information to:
advokat_2000@mail15.com
with the messages:
mssql2 open
and
mssql open
It also attempts to connect to www.google.com and if this attempt is successful, it sends information to:
hodorkovsky@mail15.com
avp@mail15.com
Additionally, if a connection to www.google.com is established, the worm launches the function which enables it to steal information from PayPal users, in exactly the same way as I-Worm.Mimail.p does. Information gathered is sent to the following addresses:
kaspersky_av@mail15.com
kasperskyeee@mail15.com
kaspersky_av@hotbox.ru
kaspersky_eee@pochta.ru
Eugene.Kaspersky@gmx.net
boris@berezovsky.cjb.net
just-for-fun@ziplip.com
In exactly the same way as Mimail.a, Mimail.b, Mimail.c and Mimail.p, the worm is able to steal user information from users of the E-Gold payment system.
The information gathered is saved in c:tmpgld.txt and sent to addresses from the list below:
E.Kaspersky@gmx.net
kaspersky_eugene@hotbox.ru
kaspersky_eugene@mail15.com
eugene@kaspersky.com
The worm also contains the following text:
*** GLOBAL WARNING: if any free email company or hosting company will close/filter my email/site accounts, it will be DDoS'ed in next version. WARNING: centrum.cz will be DDoS'ed in next versions, coz they have closed my mimail-email account. Who next? ***
visit our friendly site www.blackgate.us |
