Win32.Mimail.D,E,F,H@mm
MEDIUM
MEDIUM
10,912 bytes (zipped), 10,784 bytes (packed with upx)
(W32/Mimail.gen@MM (Mcafee))
Symptoms
- Presence of the next files in %WINDOWS% folder:
exe.tmp
zip.tmp
eml.tmp
cnfrm.exe (variants D@mm and E@mm)
sysload32.exe (variant F@mm)
cnfrm33.exe (variant H@mm)
- Presence of any of the next registry keys:
For D@mm and E@mm variants:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\]
contains the value "Cnfrm32"="%WINDOWS%\cnfrm.exe"
For F@mm variant:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\]
contains the value "SystemLoad32"="%WINDOWS%\sysload32.exe"
For H@mm variant:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\]
contains the value "Cn323"="%WINDOWS%\cnfrm33.exe"
where %WINDOWS% points to Windows folder (or WinNT on Windows NT based systems).
Removal instructions:
Manual removal
Open Task Manager pressing [CTRL]+[ALT]+[DEL] or [CTRL]+[SHIFT]+[ESCAPE] for Win2000/XP
use "End Process" on cnfrm.exe or sysload32.exe or cnfrm33.exe
delete the files eml.tmp, exe.tmp, zip.tmp from Windows folder;
open Registry Editor (click Start, Run and enter regedit)
remove any of the keys:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Cnfrm32]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemLoad32]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Cn323]
Automatic removal:
Let BitDefender disinfect/delete files found infected.
Analyzed By
Patrik Vicol BitDefender Virus Researcher
Technical Description:
There are only small differences between the two variants, D and F.
Like their predecessors, versions A and C, these versions also spread via e-mail.
The e-mail format is as follows:
From: john@???????? (??????? means any domain, for example yahoo.com etc)
Subject: don\'t be late! (30 spaces) ???????? (? may be any letter)
Body:
Will meet tonight as we agreed, because on Wednesday I don't think I'll make it,
so don't be late. And yes, by the way here is the file you asked for.
It's all written there. See you.
Attachmet: readnow.zip (containing file readnow.doc.scr)
Once run, the virus does the following:
- On Windows 9x/Me systems, hides its presence using RegisterServiceProcess, and thus it cannot be seen in Task Manager.
- copies itself as
cnfrm.exe (D@mm and E@mm variants)
sysload32.exe (F@mm variant)
cnfrm33.exe (H@mm variant)
in %WINDOWS% folder
- creates zip.tmp (copy of readnow.zip) and exe.tmp (copy of readnow.doc.scr) in %WINDOWS% folder
- creates the registry key
variants D@mm and E@mm:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\]
with the value "Cnfrm32"="%WINDOWS%\cnfrm.exe"
variant F@mm:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\]
with the value "SystemLoad32"="%WINDOWS%\sysload32.exe"
variant H@mm:
[[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\]
with the value ["Cn323"="%WINDOWS%\cnfrm33.exe"
- searches for e-mail addresses in files inside Program Files folder and also in files found using the registry list of folders
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folder]
and filters out files with extension: com, wav, cab, pdf, rar, zip, tif, psd, ocx, vxd, mp3, mpg, avi, dll, exe, gif, jpg, bmp, and stores harvested e-mail addresses in file %WINDOWS%\eml.tmp
- uses it's own smtp server to send itself; for each e-mail address harvested, it querries the host's DNS server for the domain name associated with the harvested e-mail address and attempts to send itself through that domain's smtp address or, if it fails, it uses the smtp address 212.5.86.163
- checks if the infected computer is connected to the internet by attempting to access www.google.com
- attempts dos attacks
on (www.)spews.org, (www.)spamhaus.org, (www.)spamcop.net (D@mm variant).
on (www.)fethard.biz, (www.)fethard-finance.com (E@mm variant).
on (www.)mysupersales.com (F@mm variant).
on (www.)spews.org, (www.)spamhaus.org (H@mm variant).
SHARE
THIS ON