Home / malware Win32.Mimail.Q@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Mimail.Q@mm is also known as I-Worm.Mimail.Q.
Explanation :
This is an polymorphic mass mailer with backdoor capabilities.
It arrives in the following format:
From:
James2000@yahoo.com
or
%name%@%yourdomain%.%domain%
where %name% can be any name from the following list:
"john"
"alex"
"bob"
"robert"
"admin"
"root"
"adm"
"michael"
"sex"
"ben"
"bill"
"freddie"
"brian"
"roger"
"dan"
"george"
"jack"
"james"
"kevin"
"paul"
"peter"
"steve"
"thomas"
"victor"
"anthony"
"rick"
%yourdomain% is your computer domain name.
%domain% is one of the following:
.net
.com
.org
Subject and body:
A combination of words contained in the worm body.
Example:
Subject:
cool pictures just for you
Body:
Hello my darling Barbara
It’s amazing
My sister had best sex I ever seen last night with the friend of Alice
I turned on my digital hp video camera and create a lot of excellent pictures!
I beg you do not show it anybody else, deal?
Attachment:
A combination from the following words:
My, priv, private, prv, the, best, super, great, cool, wild, sex and
Pic, img, phot, photos, pctrs, images, imgs, scene, plp, act, action
with one of the following extensions:
.pif, .scr, .exe, .jpg.scr, .jpg.pif, .jpg.exe, .gif.exe, .gif.pif, .gif.scr
Example of attachment:
My_Photos.jpg.pif
It is made by 2 components:
a polimorphic dropper and the worm itself.
The dropper is the file that comes as an attachment in an infected e-mail. When the user opens the attachment the dropper polymorphs itself and copies itself to %windir%sys32.exe
It adds the registry key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunsystem with value:%windir%sys32.exe
Then it drops the file outlook.exe in %windir%, it executes it and displays an error message:
'ERROR: Bad CRC32'
The outlook.exe is the internet worm.
After it is run it does the following:
It scans for internet services running at the infected computer and sends them
to some e-mail address.
It gathers e-mail addresses from all the files in computer except files with the
the following extensions:
com, wav, cab, pdf, rar, zip, tif, psd, ocx, vxd, mp3, mpg, avi, dll, exe, gif, jpg, bmp
It saves the e-mail addresses it finds in the following file:
%windir%outlook.cfg
It sends the <sys32.exe file to all the e-mail addresses it the same format it arrives.
It opens a shell on port 3000 and waits for connections.
It waits for remote connections on port 6667.
It drops the file c:mshome.hta and executes it.
The hta file it is used for gathering personal information. These information are then sent to some e-mail addresses
The worm also uses the following registry keys for keeping track of its progress:
HKLMSoftwareMicrosoftWindowsCurrentVersionExplorer
Explorer,
Explorer2
Explorer3
Explorer4
Explorer5
The worm contains the following text:
*** GLOBAL WARNING: if any free email company or hosting company will close/filter my email/site accounts, it will be DDoS'ed in next version. WARNING: ********* will be DDoS'ed in next versions, coz they have closed my mimail-email account. Who next? *** visit our friendly site **************'Last update 21 November 2011
