Win32.Mimail.P@mm( I-Worm.Mimail.u (Kaspersky), Troj/Pinbol-A (Sophos), W32/Cyclop.A.worm (Panda) )
SYMPTOMS: Presence of the following file in Windows System directory: SMVC32.EXEPresence of the following registry key: HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CurrentVersion\\Run with the value: SMVC = %SYSDIR%\\SMVC32.EXE TECHNICAL DESCRIPTION: When ran, the worm does the following:Copies itself to Windows System directory as SMVC32.EXE. Creates the following registry keys: - HKLM\\Software\\Microsoft\\CurrentVersion\\Run\\SMVC = %SYSDIR%\\SMVC32.EXE, so it will be executed every time Windows starts up; - HKCU\\Software\\socks\\ ; - HKCU\\Software\\serv\\; HKCU\\Software\\chan\\; Connects to an predefined IRC server and listens for commands (such as \"execute\", shutdown\" etc.). Harvests e-mai addresses from the infected computer, stores them in \"c:\\cyclop.bin\" file and periodically sends them to the attacker through e-mail. Removal instructions: Let BitDefender delete all files found infected with this worm.ANALYZED BY: Adrian GostinBitDefender Virus Researcher |