10,914 bytes (zipped), 10,784 bytes (packed with upx)
(W32/Mimail-M (Sophos) | W32.Mimail.M@mm (Symantec))
- Presence of the next files in %WINDOWS% folder:
netmon.exe (10,784 bytes)
nji2.tmp (10,784 bytes)
msi2.tmp (10,914 bytes)
- Presence of the next registry key:
where %WINDOWS% points to Windows folder (or WinNT on Windows NT based systems)
Open Task Manager pressing [CTRL]+[ALT]+[DEL] or [CTRL]+[SHIFT]+[ESCAPE] for Win2000/XP
use "End Process" on netmon.exe
delete the files netmon.exe, nji2.tmp, msi2.tmp, xjwu2.tmp from Windows folder;
open Registry Editor (click Start, Run and enter regedit)
remove the key:
let BitDefender delete/disinfect files found infected.
Patrik Vicol BitDefender Virus Researcher
Like all its predecessors, Win32.Mimail.M@mm spreads via e-mail.
It comes in the following e-mail format:
From: Wendy ???@???????? (the address is spoofed)
Subject: Re (44 spaces) ???????? (? may be any letter)
I was shocked, when I found out that it wasn't you but your twin brother!!! That's amazing, you're as like as two peas. No one in bed is better than you Greg. I remember, I remember everything very well, that promised you to tell how it was, I'll give you a call today after 9.
He took my skirt off, then my panties, then my bra, he su**ed my tits, with the same fury you do it. He was writing alphabet on my pu**y for 20 minutes, then suddenly stopped, put me in doggy style position and stuck his dagger.But Greg, why didn't you warn me that his d**k is 15 inches long?? I was struck, we fu**ed whole night.
I\'m so thankful to you, for acquainted me to your brother. I think we can do it on the next Saturday all three together? What do you think? O yes, as you wanted I've made a few pictures check them out in archive, I hope they will excite you, and you will dream of our new meeting...
Attachmet: only_for_greg.zip (containing file for_greg.jpg.exe)
Once run, the virus does the following:
- On Windows 9x/Me systems, hides its presence using RegisterServiceProcess, and thus it cannot be seen in Task Manager.
- copies itself as netmon.exe in in %WINDOWS% folder
- creates msi2.tmp (copy of only_for_greg.zip) and nji2.tmp (copy of for_greg.jpg.exe) in %WINDOWS% folder
- creates the registry key
- searches for e-mail addresses in files inside "Program Files" folder and also in files found using the registry list of folders
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folder] and filters out files with extension:
com wav cab pdf rar zip tif psd ocx vxd mp3 mpg avi dll exe gif jpg bmp
and stores harvested e-mail addresses in file %WINDOWS%\xjwu2.tmp
- uses it's own smtp server to send itself; for each e-mail address harvested, it querries the host's DNS server for the domain name associated with the harvested e-mail address and attempts to send itself through that domain's smtp address or, if it fails, it uses the smtp address 188.8.131.52
- checks if the infected computer is connected to the internet by attempting to access www.register.com
- attempts dos attacks on (www.)darkprofits.ws, (www.)darkprofits.ws, (www.)darkprofits.com, (www.)darkprofits.net