SecurityHome.eu Win32.Mimail.D,E,F,H@mm

Home / malware PDF

Win32.Mimail.D,E,F,H@mm

First posted on 21 November 2011.
Source: BitDefender
Aliases :
Win32.Mimail.D,E,F,H@mm is also known as W32/Mimail.gen@MM, (Mcafee.
Explanation :
There are only small differences between the two variants, D and F.
Like their predecessors, versions A and C, these versions also spread via e-mail.

The e-mail format is as follows:

From: john@???????? (??????? means any domain, for example yahoo.com etc)
Subject: don't be late! (30 spaces) ???????? (? may be any letter)
Body:
Will meet tonight as we agreed, because on Wednesday I don't think I'll make it,
so don't be late. And yes, by the way here is the file you asked for.
It's all written there. See you.
Attachmet: readnow.zip (containing file readnow.doc.scr)

Once run, the virus does the following:

- On Windows 9x/Me systems, hides its presence using RegisterServiceProcess, and thus it cannot be seen in Task Manager.

- copies itself as
cnfrm.exe (D@mm and E@mm variants)
sysload32.exe (F@mm variant)
cnfrm33.exe (H@mm variant)
in %WINDOWS% folder

- creates zip.tmp (copy of readnow.zip) and exe.tmp (copy of readnow.doc.scr) in %WINDOWS% folder

- creates the registry key

variants D@mm and E@mm:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
with the value "Cnfrm32"="%WINDOWS%cnfrm.exe"

variant F@mm:
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]
with the value "SystemLoad32"="%WINDOWS%sysload32.exe"

variant H@mm:
[[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
with the value ["Cn323"="%WINDOWS%cnfrm33.exe"

- searches for e-mail addresses in files inside Program Files folder and also in files found using the registry list of folders

[HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folder]

and filters out files with extension: com, wav, cab, pdf, rar, zip, tif, psd, ocx, vxd, mp3, mpg, avi, dll, exe, gif, jpg, bmp, and stores harvested e-mail addresses in file %WINDOWS%eml.tmp

- uses it's own smtp server to send itself; for each e-mail address harvested, it querries the host's DNS server for the domain name associated with the harvested e-mail address and attempts to send itself through that domain's smtp address or, if it fails, it uses the smtp address 212.5.86.163

- checks if the infected computer is connected to the internet by attempting to access www.google.com

- attempts dos attacks
on (www.)spews.org, (www.)spamhaus.org, (www.)spamcop.net (D@mm variant).
on (www.)fethard.biz, (www.)fethard-finance.com (E@mm variant).
on (www.)mysupersales.com (F@mm variant).
on (www.)spews.org, (www.)spamhaus.org (H@mm variant).
Last update 21 November 2011

TOP

Malware :

Last 20