73728 bytes, 515 bytes, 11373 bytes, 19461 bytes
The presence of an email message like the one in the technical description.
- If you don't have BitDefender installed click here to download an evaluation version;
- Make sure that you have the latest updates using BitDefender Live!;
- Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.Manymize.A@mm.
Sorin Victor Dudea BitDefender Virus Researcher
This is an Internet worm that is spreading using two different exploits.
The first is Iframe exploit
and it allows the worm to be executed when the user previews the e-mail. The second one allows a script to be executed from a .wmv
file (Windows Media File).
It arrives in the following format: From:
An e-mail address random generated from the following accounts names: Heygenius, hulee, imedusa, jauhui, huangsj, huangsu, ietachi, jingyam, j4504, uangm, ivanhuangm, huting, j420k, homelanie, jaga6182, jj0103, hu4461, hui0716, hwachang, jacky702, jc660212, hh456, hsingni, hfp8, hgk315, huck0083, happymm, huang_ken, hut6641, j3017, james813, jarenluo, jenny_tsai, herotom, hfp5, hpf5678, ioiop5022, jupiter1117, hks7982, hippo8047, hk1513, hsiung33, jade1002, hsintay, hsu31036, ienali, jean0628, jht66, hhjj00669, hq7699, hv116699, hy0527, hyy0831, i100043491, j80014, jack2202, jacky12j, jemily, hs6910, iqmore, jack6318, jackyy0607, h2h3, h90308, hata408, hd6525, heart1028, hope90, hui0330, ifififif, ino007, isamuoki88, j813, housepain, hsiaan, hsuan0811, imgproc, ivy0323, j122388084, jearsu, jeff2415, jenshyan9, jeslee, jhae9876, jhjhshoke, hch88888, hj002040, hkl750, ioiriui, iw5650, jaja77, japs412, iii5555, i8455, h123243574, hit206, jessie1985, howarda, isancp, h885talk, hanwuji, hapi169, hb0810, hdd0002, hhhh7111, j7558486, jackie59, jarehoard0339, jcsun1028, jk78963578, jmj12, jmsbtl, jn0481, jo1016, joe126857, joemm, johnnyy1, jojo987654, joko3, jon1210, jonse16
And the domain: @patame.com.tw Subject:
It is random generated from the following table:
Hi DearHelloMy friend,How are you !!\"
, See this, This is, Open the, Attached is my, Watch my
It takes an entry from every column and builds a sentence.
Ex: [Hi] [, See this] [amusing] [movie]
When the user previews the e-mail the mi2.exe
attachment will be executed and the worm it will start it's spreading routine.
If the system is invulnerable to the Iframe exploit
, the worm will spread if the user will open one of the attachments.
Usually the user will open the mi2.wmv
attachment. That file contains a URL to mi2.htm
and when viewed under Media Player the html will be executed.
gives control to mi2.chm
contains a script that will open mi2.exe
is opened the spreading routine is executed and the worm collects all e-mail addresses from Outlook Express Address Book and send itself to those addresses in the same format it arrives.