My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Mimail.T@mm

VERY LOW
VERY LOW
14880 bytes
(W32/Mimail-T)

Symptoms

File KASPERSKY.EXE in Windows directory (%WINDIR%)

Registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
with the value:
KasperskyAV = %WINDIR%\KASPERSKY.EXE

Removal instructions:

Let BitDefender delete all files found infected by this worm.

Analyzed By

Mihai NEAGU BitDefender Virus Researcher

Technical Description:

The mass-mailing worm comes by mail with an attachment file with a name formed using the following words:
my, priv, private, prv, the, best, super, great, cool, wild, sex, f*ck
and
pic, img, phot, photos, pctrs, images, imgs, scene, plp, act, action

and with one of the following extensions:
  • .pif
  • .scr
  • .exe
  • .jpg.scr
  • .jpg.pif
  • .jpg.exe
  • .gif.exe
  • .gif.pif
  • .gif.scr

It copies itself to
%WINDIR%\KASPERSKY.EXE
%WINDIR%\EE98AF.TMP

and creates the registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
with the value:
KasperskyAV = %WINDIR%\KASPERSKY.EXE

and

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer
with the value:
Explorer3 = 0

It spreads itself by sending mail using its own SMTP (mail sending) engine, scanning the hard disk for e-mail addresses that are saved to the following file:
%WINDIR%\OUTLOOK.CFG

Also attempts to attack the following websites:
  • spews.org
  • darkprofits.net
  • darkprofits.cc
  • darkprofits.com

The worm contains a text that is never displayed:
*** GLOBAL WARNING: if any free email company or hosting company will close/filter my email/site accounts, it will be DDoS'ed in next version. WARNING: centrum.cz will be DDoS'ed in next versions, coz they have closed my mimail-email account. Who next? ***