|
I-Worm.Mimail. Viruses Information
| Name: |
I-Worm.Mimail. |
| Category: |
Viruses |
| Description:
|
Details
I-Worm.Mimail.p
This worm spreads via the Internet in the form of files attached to infected messages.
The worm is a Windows PE EXE file of 57888 bytes.
Contents of infected messages:
Sender:
donotreply@paypal.com
Message header:
"GREAT NEW YEAR OFFER FROM PAYPAL.COM!"
Message text:
*** GREAT NEW YEAR OFFER FROM PAYPAL.COM ***
Dear PayPal.com Member,
We here at PayPal.com are pleased to announce that we have a special New Year offer for you! If you currently have an account with PayPal then you will be eligible to receive a terrific prize from PayPal.com for the New Year. For a limited time only PayPal is offering to add 10% of the total balance in your PayPal account to your account and all you have to do is register yourself within the next five business days with our application (see attachment)!
If at this time you do not have a PayPal account of your own you can also register yourself with our secure application and get this great New Year bonus! If you fill out the secure form we have provided PayPal will create an account for you (it's free) and you will receive a confirmation e-mail that your account has been created.
That's not all! If you resend this letter (with its attachment) to all of your friends you may be eligible to receive another New Year bonus because the 1000 PayPal members that send the most of these to their friends will get the bonus. If you are one of these 1000 lucky members then PayPal will add 17% of your total balance to your account!
Registration is simple. Just unpack the attachment with WinZip, run the application, and follow the instructions we have provided. If you have problems opening the application then you may want to try downloading a free version of WinZip from http://www.winzip.com
Do not miss your chance at this fantastic opportunity! Thousands of our current customers have already received their prizes and now it's your turn; so hurry up and take advantage of this special offer!
Best of luck in the New Year,
PayPal.com Team
Attachment name:
pp-app.zip
The worm is activated only when the user opens the archive and runs the infected file. When this is done, the worm installs itself to the system, and begins replicating.
Installation
The worm copies itself to the Windows system directory under the name 'Winmgr.32.exe' and registers this file in the system registry auto-run key:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
"WinMgr32" = "%Windir%winmgr32.exe"
In the C: root directory the worm creates the following files: "index.hta", "index2.hta", "tmpcan3.txt" and "tmpny3.txt" which are used by the dialogue boxes.
The worm also creates the files
zipzip.tmp
ee98af.tmp
in the Windows directory.
How the worm sends mail
To send infected messages the worm uses its own SMTP library. In order to send messages directly to the recipient's smtp server, the worm makes use of DNS server 212.5.86.163
To find email addresses to send messages to, the worm looks for address lines which contain the following suffixes:
.ca
.au
.uk
.us
.edu
.gov
.mil
.de
.it
.ru
.fr
.info
.org
.net
.com
@email.msn.com
@prodigy.net
@safe-mail.net@excite.com
@zwallet.com
@erols.com
@bigpond.com
@usa.net
@bigfoot.com
@bellsouth.net
@attglobal.net
@att.net
@attbi.com
@email.it
@lycos.com
@sbcglobal.net
@shaw.ca
@themail.com
@verizon.net
@yahoo.com
@msn.com
@mail.com
@hotmail.com
@earthlink.net
@aol.com
but does not search for addresses in files with the following extensions: jpg, gif, exe, dll, avi, mpg, mp3, vxd, ocx, psd, tif, zip, rar, pdf, cab, wav, com.
Other information:
When executed, the worm displays a dialogue box on screen which asks for PayPal credit card details. Data entered is stored in 'c:tmpny3.txt' and is then sent on to the author of the worm.
The worm opens port 5555 to listen for commands.
In a similar way to versions Mimail.a,Mimail.b and Mimail.c, the worm is able to steal information from E-Gold users. The worm also sends its author the following information about the infected system:
Account Name
POP3 Password2
POP3 Server
POP3 User Name
NNTP Server
NNTP User Name
SMTP Server
SMTP Display Name
SMTP Email Address
SMTP Organization Name
RAS Information
INETCOMM Server Passwords
The worm changes the home page in Internet Explorer to a link containing pictures of George Bush: http://www.anvari.org/db/fun/World_Trade_Center/Bush_Monkey.jpg. |
Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 73 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win32.Hidra - 43 visits
Win16.Klon.1177 - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
PHP.Neworl
Konkoor.184
Int
Exploit.HTML.Mh
KOV Famil
Vik Famil
Logen.115
WereWolf famil
LoadHigh.146
Euskara.81
|
