Home / malware Win32.Mimail.T@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Mimail.T@mm is also known as W32/Mimail-T.
Explanation :
The mass-mailing worm comes by mail with an attachment file with a name formed using the following words:
my, priv, private, prv, the, best, super, great, cool, wild, sex, f*ck
and
pic, img, phot, photos, pctrs, images, imgs, scene, plp, act, action
and with one of the following extensions:
.pif
.scr
.exe
.jpg.scr
.jpg.pif
.jpg.exe
.gif.exe
.gif.pif
.gif.scr
It copies itself to
%WINDIR%KASPERSKY.EXE
%WINDIR%EE98AF.TMP
and creates the registry keys:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
with the value:
KasperskyAV = %WINDIR%KASPERSKY.EXE
and
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionExplorer
with the value:
Explorer3 = 0
It spreads itself by sending mail using its own SMTP (mail sending) engine, scanning the hard disk for e-mail addresses that are saved to the following file:
%WINDIR%OUTLOOK.CFG
Also attempts to attack the following websites:
spews.org
darkprofits.net
darkprofits.cc
darkprofits.com
The worm contains a text that is never displayed:
*** GLOBAL WARNING: if any free email company or hosting company will close/filter my email/site accounts, it will be DDoS'ed in next version. WARNING: centrum.cz will be DDoS'ed in next versions, coz they have closed my mimail-email account. Who next? ***Last update 21 November 2011
