My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Mimail.P@mm

VERY LOW
VERY LOW
12080 bytes
(I-Worm.Mimail.u (Kaspersky), Troj/Pinbol-A (Sophos), W32/Cyclop.A.worm (Panda))

Symptoms

Presence of the following file in Windows System directory: SMVC32.EXE

Presence of the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\Run
with the value:
SMVC = %SYSDIR%\SMVC32.EXE

Removal instructions:

Let BitDefender delete all files found infected with this worm.

Analyzed By

Adrian Gostin BitDefender Virus Researcher

Technical Description:

When ran, the worm does the following:

Copies itself to Windows System directory as SMVC32.EXE.
Creates the following registry keys:
- HKLM\Software\Microsoft\CurrentVersion\Run\SMVC = %SYSDIR%\SMVC32.EXE, so it will be executed every time Windows starts up;
- HKCU\Software\socks\ ;
- HKCU\Software\serv\;
HKCU\Software\chan\;
Connects to an predefined IRC server and listens for commands (such as "execute", shutdown" etc.).
Harvests e-mai addresses from the infected computer, stores them in "c:\cyclop.bin" file and periodically sends them to the attacker through e-mail.