My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Mimail.M@mm

MEDIUM
LOW
10,914 bytes (zipped), 10,784 bytes (packed with upx)
(W32/Mimail-M (Sophos) | W32.Mimail.M@mm (Symantec))

Symptoms


- Presence of the next files in %WINDOWS% folder:

netmon.exe (10,784 bytes)
nji2.tmp (10,784 bytes)
msi2.tmp (10,914 bytes)
xjwu2.tmp

- Presence of the next registry key:

[HKEY_LOCAL_MACHINE\ Software\Microsoft\Windows\CurrentVersion\Run\"NetMon"="%WINDOWS%\netmon.exe"]


where %WINDOWS% points to Windows folder (or WinNT on Windows NT based systems)

Removal instructions:


Manual Removal

Open Task Manager pressing [CTRL]+[ALT]+[DEL] or [CTRL]+[SHIFT]+[ESCAPE] for Win2000/XP
use "End Process" on netmon.exe
delete the files netmon.exe, nji2.tmp, msi2.tmp, xjwu2.tmp from Windows folder;

open Registry Editor (click Start, Run and enter regedit)
remove the key:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NetMon]


Automatic Removal

let BitDefender delete/disinfect files found infected.

Analyzed By

Patrik Vicol BitDefender Virus Researcher

Technical Description:


Like all its predecessors, Win32.Mimail.M@mm spreads via e-mail.

It comes in the following e-mail format:

From: Wendy ???@???????? (the address is spoofed)
Subject: Re[3] (44 spaces) ???????? (? may be any letter)

Body:

Hello Greg,

I was shocked, when I found out that it wasn't you but your twin brother!!! That's amazing, you're as like as two peas. No one in bed is better than you Greg. I remember, I remember everything very well, that promised you to tell how it was, I'll give you a call today after 9.

He took my skirt off, then my panties, then my bra, he su**ed my tits, with the same fury you do it. He was writing alphabet on my pu**y for 20 minutes, then suddenly stopped, put me in doggy style position and stuck his dagger.But Greg, why didn't you warn me that his d**k is 15 inches long?? I was struck, we fu**ed whole night.

I\'m so thankful to you, for acquainted me to your brother. I think we can do it on the next Saturday all three together? What do you think? O yes, as you wanted I've made a few pictures check them out in archive, I hope they will excite you, and you will dream of our new meeting...

Wendy.


Attachmet: only_for_greg.zip (containing file for_greg.jpg.exe)


Once run, the virus does the following:

- On Windows 9x/Me systems, hides its presence using RegisterServiceProcess, and thus it cannot be seen in Task Manager.
- copies itself as netmon.exe in in %WINDOWS% folder
- creates msi2.tmp (copy of only_for_greg.zip) and nji2.tmp (copy of for_greg.jpg.exe) in %WINDOWS% folder
- creates the registry key
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NetMon="%WINDOWS%\netmon.exe"
- searches for e-mail addresses in files inside "Program Files" folder and also in files found using the registry list of folders
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folder] and filters out files with extension:
com wav cab pdf rar zip tif psd ocx vxd mp3 mpg avi dll exe gif jpg bmp
and stores harvested e-mail addresses in file %WINDOWS%\xjwu2.tmp
- uses it's own smtp server to send itself; for each e-mail address harvested, it querries the host's DNS server for the domain name associated with the harvested e-mail address and attempts to send itself through that domain's smtp address or, if it fails, it uses the smtp address 212.5.86.163
- checks if the infected computer is connected to the internet by attempting to access www.register.com
- attempts dos attacks on (www.)darkprofits.ws, (www.)darkprofits.ws, (www.)darkprofits.com, (www.)darkprofits.net