Home / malware Win32.Mimail.M@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Mimail.M@mm is also known as W32/Mimail-M, (Sophos.
Explanation :
Like all its predecessors, Win32.Mimail.M@mm spreads via e-mail.
It comes in the following e-mail format:
From: Wendy ???@???????? (the address is spoofed)
Subject: Re[3] (44 spaces) ???????? (? may be any letter)
Body:
Hello Greg,
I was shocked, when I found out that it wasn't you but your twin brother!!! That's amazing, you're as like as two peas. No one in bed is better than you Greg. I remember, I remember everything very well, that promised you to tell how it was, I'll give you a call today after 9.
He took my skirt off, then my panties, then my bra, he su**ed my tits, with the same fury you do it. He was writing alphabet on my pu**y for 20 minutes, then suddenly stopped, put me in doggy style position and stuck his dagger.But Greg, why didn't you warn me that his d**k is 15 inches long?? I was struck, we fu**ed whole night.
I'm so thankful to you, for acquainted me to your brother. I think we can do it on the next Saturday all three together? What do you think? O yes, as you wanted I've made a few pictures check them out in archive, I hope they will excite you, and you will dream of our new meeting...
Wendy.
Attachmet: only_for_greg.zip (containing file for_greg.jpg.exe)
Once run, the virus does the following:
- On Windows 9x/Me systems, hides its presence using RegisterServiceProcess, and thus it cannot be seen in Task Manager.
- copies itself as netmon.exe in in %WINDOWS% folder
- creates msi2.tmp (copy of only_for_greg.zip) and nji2.tmp (copy of for_greg.jpg.exe) in %WINDOWS% folder
- creates the registry key
[HKLMSoftwareMicrosoftWindowsCurrentVersionRunNetMon="%WINDOWS%
etmon.exe"
- searches for e-mail addresses in files inside "Program Files" folder and also in files found using the registry list of folders
[HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folder] and filters out files with extension:
com wav cab pdf rar zip tif psd ocx vxd mp3 mpg avi dll exe gif jpg bmp
and stores harvested e-mail addresses in file %WINDOWS%xjwu2.tmp
- uses it's own smtp server to send itself; for each e-mail address harvested, it querries the host's DNS server for the domain name associated with the harvested e-mail address and attempts to send itself through that domain's smtp address or, if it fails, it uses the smtp address 212.5.86.163
- checks if the infected computer is connected to the internet by attempting to access www.register.com
- attempts dos attacks on (www.)darkprofits.ws, (www.)darkprofits.ws, (www.)darkprofits.com, (www.)darkprofits.netLast update 21 November 2011