My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Mimail.N@mm

LOW
MEDIUM
23,072 bytes, 23,194 bytes (zipped)

Symptoms

- Presence of the next files in %WINDOWS% folder:

winmgr32.exe (23,072 bytes)
ee98af.tmp (23,072 bytes, a copy of the virus)
zipzip.tmp (23,194 bytes, zipped copy of the virus)
outlook.cfg
crc32.cfg


- Presence of any the following files on the root of drive C:

index.hta
index2.hta
tmpny3.txt (stored credit card information)
tmpcan3.txt
tmpenc.txt
tmpeg2.txt
tmpgld.txt
tmppsw.txt
tmpeml.txt

- Presence of the next registry keys or entries:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"WinMgr32"="C:\WINDOWS\winmgr32.exe"


where %WINDOWS% points to Windows folder (or WinNT on Windows NT based systems)
%SYSTEM% points to "System" folder on Windows 9x systems and "System32" folder on WinNT systems.

Removal instructions:

Manual Removal

Open Task Manager pressing [CTRL]+[ALT]+[DEL] or [CTRL]+[SHIFT]+[ESCAPE] for Win2000/XP
use "End Process" on winmgr32.exe
then delete all files mentioned in the Symptoms.

Automatic Removal

let BitDefender delete/disinfect files found infected.

Analyzed By

Patrik Vicol BitDefender Virus Researcher

Technical Description:

With signature files before January 7, 2004 the virus was detected as: Win32.Mimail.Gen@mm

As Win32.Mimail.I@mm, this virus also fakes an e-mail from PayPal:

Subject: GREAT NEW YEAR OFFER FROM PAYPAL.COM! ??????????
(where ? can be any character)

Body:
*** GREAT NEW YEAR OFFER FROM PAYPAL.COM ***

Dear PayPal.com Member,

We here at PayPal.com are pleased to announce that we have a special New Year offer for you! If you currently have an account with PayPal then you will be eligible to receive a terrific prize from PayPal.com for the New Year. For a limited time only PayPal is offering to add 10% of the total balance in your PayPal account to your account and all you have to do is register yourself within the next five business days with our application (see attachment)!

If at this time you do not have a PayPal account of your own you can also register yourself with our secure application and get this great New Year bonus! If you fill out the secure form we have provided PayPal will create an account for you (it's free) and you will receive a confirmation e-mail that your account has been created.

That's not all! If you resend this letter (with its attachment) to all of your friends you may be eligible to receive another New Year bonus because the 1000 PayPal members that send the most of these to their friends will get the bonus. If you are one of these 1000 lucky members then PayPal will add 17% of your total balance to your account!

Registration is simple. Just unpack the attachment with WinZip, run the application, and follow the instructions we have provided. If you have problems opening the application then you may want to try downloading a free version of WinZip from http://www.winzip.com

Do not miss your chance at this fantastic opportunity! Thousands of our current customers have already received their prizes and now it's your turn; so hurry up and take advantage of this special offer!

Best of luck in the New Year,
PayPal.com Team

Attachment: pp-app.zip

Once the virus has been run, it does the following:

1. Will display fake PayPal screens







2. Hide it's presence in Win9x systems using RegisterServiceProcess

3. Copy itself as %WINDOWS%\winmgr32.exe

4. Create the registry entry

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"WinMgr32"="C:\WINDOWS\winmgr32.exe"

5. Attempts to set the start page of Internet Explorer to
http://www.anvari.org/db/fun/World_Trade_Center/Bush_Monkey.jpg

6. Creates the files c:\index.hta and c:\index2.hta and execute c:\index.hta that will
display the above fake paypal messages, personal information and credit card information
will be stored in c:\tmpny3.txt

7. Attempts to send content of tmpny3.txt to a remote server.

8. Deletes and recreates the files:

%WINDOWS%\zipzip.tmp (zipped copy of the virus)
%WINDOWS%\ee98af.tmp (copy of the virus)

9. Sees if the computer is conected by attempting to connect to www.google.com

10. Searches for e-mail addresses inside files found following Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders and Cookies, C:\ and C:\Program Files\
but skipping files with extension:
com, wav, cab, pdf, rar, zip, tif, psd, ocx, vxd, mp3, mpg, avi, dll, exe, gif, jpg, bmp

11. Attempts to send dialup and local passwords to a few hardcoded e-mail addresses.

12. uses it's own smtp server to send itself; for each e-mail address harvested, it querries the host's DNS server for the domain name associated with the harvested e-mail address and attempts to send itself through that domain's smtp address or, if it fails, it uses the smtp address 212.5.86.163

The virus may also attempt to update itself by downloading and executing a file c:\mm.exe