Win32.Mimail.P@mm
VERY LOW
VERY LOW
12080 bytes
(I-Worm.Mimail.u (Kaspersky), Troj/Pinbol-A (Sophos), W32/Cyclop.A.worm (Panda))
Symptoms
Presence of the following file in Windows System directory: SMVC32.EXE
Presence of the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\Run
with the value:
SMVC = %SYSDIR%\SMVC32.EXE
Removal instructions:
Let BitDefender delete all files found infected with this worm.
Analyzed By
Adrian Gostin BitDefender Virus Researcher
Technical Description:
When ran, the worm does the following:
Copies itself to Windows System directory as SMVC32.EXE.
Creates the following registry keys:
- HKLM\Software\Microsoft\CurrentVersion\Run\SMVC = %SYSDIR%\SMVC32.EXE, so it will be executed every time Windows starts up;
- HKCU\Software\socks\ ;
- HKCU\Software\serv\;
HKCU\Software\chan\;
Connects to an predefined IRC server and listens for commands (such as "execute", shutdown" etc.).
Harvests e-mai addresses from the infected computer, stores them in "c:\cyclop.bin" file and periodically sends them to the attacker through e-mail.
SHARE
THIS ON