Home / malwarePDF  

Win32.Manymize.A@mm


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Manymize.A@mm is also known as WORM_MANYMIZE.A.

Explanation :

This is an Internet worm that is spreading using two different exploits.
The first is Iframe exploit and it allows the worm to be executed when the user previews the e-mail. The second one allows a script to be executed from a .wmv file (Windows Media File).

It arrives in the following format:

From:An e-mail address random generated from the following accounts names:
Heygenius, hulee, imedusa, jauhui, huangsj, huangsu, ietachi, jingyam, j4504, uangm, ivanhuangm, huting, j420k, homelanie, jaga6182, jj0103, hu4461, hui0716, hwachang, jacky702, jc660212, hh456, hsingni, hfp8, hgk315, huck0083, happymm, huang_ken, hut6641, j3017, james813, jarenluo, jenny_tsai, herotom, hfp5, hpf5678, ioiop5022, jupiter1117, hks7982, hippo8047, hk1513, hsiung33, jade1002, hsintay, hsu31036, ienali, jean0628, jht66, hhjj00669, hq7699, hv116699, hy0527, hyy0831, i100043491, j80014, jack2202, jacky12j, jemily, hs6910, iqmore, jack6318, jackyy0607, h2h3, h90308, hata408, hd6525, heart1028, hope90, hui0330, ifififif, ino007, isamuoki88, j813, housepain, hsiaan, hsuan0811, imgproc, ivy0323, j122388084, jearsu, jeff2415, jenshyan9, jeslee, jhae9876, jhjhshoke, hch88888, hj002040, hkl750, ioiriui, iw5650, jaja77, japs412, iii5555, i8455, h123243574, hit206, jessie1985, howarda, isancp, h885talk, hanwuji, hapi169, hb0810, hdd0002, hhhh7111, j7558486, jackie59, jarehoard0339, jcsun1028, jk78963578, jmj12, jmsbtl, jn0481, jo1016, joe126857, joemm, johnnyy1, jojo987654, joko3, jon1210, jonse16
And the domain:
@patame.com.tw
Subject:
It is random generated from the following table:





Hi DearHelloMy friend,How are you !!"


, See this, This is, Open the, Attached is my, Watch my


funnyinterestingcuteamusingspecial


video.movie.penguin.clip.tape.





It takes an entry from every column and builds a sentence.
Ex:
[Hi] [, See this] [amusing] [movie]


Attachments:
Mi2.chm and
Mi2.exe and
Mi2.htm and
Mi2.wmv

When the user previews the e-mail the mi2.exe attachment will be executed and the worm it will start it's spreading routine.

If the system is invulnerable to the Iframe exploit, the worm will spread if the user will open one of the attachments.

Usually the user will open the mi2.wmv attachment. That file contains a URL to mi2.htm and when viewed under Media Player the html will be executed.
The mi2.htm gives control to mi2.chm.
Mi2.chm contains a script that will open mi2.exe.

After mi2.exe is opened the spreading routine is executed and the worm collects all e-mail addresses from Outlook Express Address Book and send itself to those addresses in the same format it arrives.

Last update 21 November 2011

 

TOP