My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Mimail.D,E,F,H@mm

MEDIUM
MEDIUM
10,912 bytes (zipped), 10,784 bytes (packed with upx)
(W32/Mimail.gen@MM (Mcafee))

Symptoms


- Presence of the next files in %WINDOWS% folder:

exe.tmp
zip.tmp
eml.tmp
cnfrm.exe (variants D@mm and E@mm)
sysload32.exe (variant F@mm)
cnfrm33.exe (variant H@mm)

- Presence of any of the next registry keys:

For D@mm and E@mm variants:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\]
contains the value "Cnfrm32"="%WINDOWS%\cnfrm.exe"

For F@mm variant:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\]
contains the value "SystemLoad32"="%WINDOWS%\sysload32.exe"

For H@mm variant:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\]
contains the value "Cn323"="%WINDOWS%\cnfrm33.exe"

where %WINDOWS% points to Windows folder (or WinNT on Windows NT based systems).

Removal instructions:


Manual removal

Open Task Manager pressing [CTRL]+[ALT]+[DEL] or [CTRL]+[SHIFT]+[ESCAPE] for Win2000/XP
use "End Process" on cnfrm.exe or sysload32.exe or cnfrm33.exe
delete the files eml.tmp, exe.tmp, zip.tmp from Windows folder;

open Registry Editor (click Start, Run and enter regedit)
remove any of the keys:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Cnfrm32]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemLoad32]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Cn323]

Automatic removal:
Let BitDefender disinfect/delete files found infected.

Analyzed By

Patrik Vicol BitDefender Virus Researcher

Technical Description:


There are only small differences between the two variants, D and F.
Like their predecessors, versions A and C, these versions also spread via e-mail.

The e-mail format is as follows:

From: john@???????? (??????? means any domain, for example yahoo.com etc)
Subject: don\'t be late! (30 spaces) ???????? (? may be any letter)
Body:
Will meet tonight as we agreed, because on Wednesday I don't think I'll make it,
so don't be late. And yes, by the way here is the file you asked for.
It's all written there. See you.

Attachmet: readnow.zip (containing file readnow.doc.scr)

Once run, the virus does the following:

- On Windows 9x/Me systems, hides its presence using RegisterServiceProcess, and thus it cannot be seen in Task Manager.

- copies itself as
cnfrm.exe (D@mm and E@mm variants)
sysload32.exe (F@mm variant)
cnfrm33.exe (H@mm variant)
in %WINDOWS% folder

- creates zip.tmp (copy of readnow.zip) and exe.tmp (copy of readnow.doc.scr) in %WINDOWS% folder

- creates the registry key

variants D@mm and E@mm:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\]
with the value "Cnfrm32"="%WINDOWS%\cnfrm.exe"

variant F@mm:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\]
with the value "SystemLoad32"="%WINDOWS%\sysload32.exe"

variant H@mm:
[[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\]
with the value ["Cn323"="%WINDOWS%\cnfrm33.exe"

- searches for e-mail addresses in files inside Program Files folder and also in files found using the registry list of folders

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folder]

and filters out files with extension: com, wav, cab, pdf, rar, zip, tif, psd, ocx, vxd, mp3, mpg, avi, dll, exe, gif, jpg, bmp, and stores harvested e-mail addresses in file %WINDOWS%\eml.tmp

- uses it's own smtp server to send itself; for each e-mail address harvested, it querries the host's DNS server for the domain name associated with the harvested e-mail address and attempts to send itself through that domain's smtp address or, if it fails, it uses the smtp address 212.5.86.163

- checks if the infected computer is connected to the internet by attempting to access www.google.com

- attempts dos attacks
  • on (www.)spews.org, (www.)spamhaus.org, (www.)spamcop.net (D@mm variant).

  • on (www.)fethard.biz, (www.)fethard-finance.com (E@mm variant).

  • on (www.)mysupersales.com (F@mm variant).

  • on (www.)spews.org, (www.)spamhaus.org (H@mm variant).