Alias:W32.Mimail.D@mm, W32/Mimail@mm, WORM_MIMAIL.E
Type:Worm 
Size:10,784 bytes 
Origin:unknown 
Date:11-01-2003 
Damage:sends itself by email 
VDF Version:6.22.00.25 
Danger:Low 
Distribution:High 

General DescriptionThe Worm/Mimail.E is a worm that steals data from the user's computer. For email spreading, it uses its own SMTP engine.

SymptomsSystem instability

DistributionEmail spreading, using its own SMTP engine.

Technical DetailsWhen activated, it creates the following files in Windows:
* cnfrm.exe
* exe.tmp
* zip.tmp
* eml.tmp

It creates the following registry entry, so that it will be automatically run at the next system start:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run]
"Cnfrm32"="C:\<%WinDIR%>\cnfrm.exe"

It also starts Denial of Service attacks against the following servers:
* fethard.biz
* fethard-finance.com
* spamhaus.org
* spews.org

It gathers email addresses from all files except the files with extension:
* exe
* jpg
* wav
* com
* mp3
* tif
* psd
* avi
* mpg
* cab
* pdf
* rar
* zip
* dll
* gif
* ocx
* vxd
* bmp

The collected addresses are stored in the file C:\<%Windir%>\eml.tmp. The worm spreads by sending itself to these addresses using its own SMTP engine. It finds the domain for every email and sends itself using that domain. So, it seems to the recipient that the message comes from the same domain!

The email has the following characteristics:

From: john@<current domain>

Subject: don't be late!
Body:
Hello Dear!,

Will meet tonight as we agreed, because on Wednesday I don't think I'll make it,

so don't be late. And yes, by the way here is the file you asked for.
It's all written there. See you.

Attachment: readnow.zip

The file readnow.zip contains the virus with the filename readnow.doc.scr.

Manual Remove Instructions- for Windows 2000/XP:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear.

Delete the following files:
* C:\<%WinDIR%>\cnfrm.exe
* C:\<%WinDIR%>\zip.tmp
* C:\<%WinDIR%>\exe.tmp
* C:\<%WinDIR%>\eml.tmp

Start "regedit" after that and delete the following registry entries:

* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run]
"NetWatch32" = C:\<%Windir%>\netwatch.exe"
Restart your computer.

- for Windows 9x/Me:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear.

Delete the following files:

* C:\<%WinDIR%>\cnfrm.exe
* C:\<%WinDIR%>\zip.tmp
* C:\<%WinDIR%>\exe.tmp
* C:\<%WinDIR%>\eml.tmp

Start "regedit" after that and delete the following registry entries:

* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run]
"NetWatch32" = C:\<%Windir%>\netwatch.exe"

Restart your computer.
Descrizione inserita da Crony Walker su martedì 15 giugno 2004

Indietro . . . .