Win32.Mimail.T@mm

( W32/Mimail-T )

SYMPTOMS:

File KASPERSKY.EXE in Windows directory (%WINDIR%)

Registry key:
HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
with the value:
KasperskyAV = %WINDIR%\\KASPERSKY.EXE

TECHNICAL DESCRIPTION:

The mass-mailing worm comes by mail with an attachment file with a name formed using the following words:
my, priv, private, prv, the, best, super, great, cool, wild, sex, f*ck
and
pic, img, phot, photos, pctrs, images, imgs, scene, plp, act, action

and with one of the following extensions:

• .pif
  
• .scr
  
• .exe
  
• .jpg.scr
  
• .jpg.pif
  
• .jpg.exe
  
• .gif.exe
  
• .gif.pif
  
• .gif.scr

It copies itself to
%WINDIR%\\KASPERSKY.EXE
%WINDIR%\\EE98AF.TMP

and creates the registry keys:
HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
with the value:
KasperskyAV = %WINDIR%\\KASPERSKY.EXE

and

HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer
with the value:
Explorer3 = 0

It spreads itself by sending mail using its own SMTP (mail sending) engine, scanning the hard disk for e-mail addresses that are saved to the following file:
%WINDIR%\\OUTLOOK.CFG

Also attempts to attack the following websites:

• spews.org
  
• darkprofits.net
  
• darkprofits.cc
  
• darkprofits.com

The worm contains a text that is never displayed:
*** GLOBAL WARNING: if any free email company or hosting company will close/filter my email/site accounts, it will be DDoS\'ed in next version. WARNING: centrum.cz will be DDoS\'ed in next versions, coz they have closed my mimail-email account. Who next? ***

Removal instructions:

Let BitDefender delete all files found infected by this worm.

ANALYZED BY:

Mihai NEAGU
BitDefender Virus Researcher