Home / malwarePDF  

Win32.Mimail.A@mm


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Mimail.A@mm is also known as W32/Mimail.A@mm.

Explanation :

It arrives as an e-mail in the following format:

From: admin@%domain%
where %domain% is the same domain as recipient’s domain.

Subject: Your account %randomstring%

Body:

Hello there,

I would like to inform you about important information regarding your
email address. This email address will be expiring.
Please read attachment for details.

---
Best regards, Administrator

Same %randomstring%

Attachment: Message.zip

When the user opens the attachment it will find a file named message.html. That file contains the executable worm encapsulated in a special formatted html file. The worm uses a code base exploit so when the html file is opened will drop foo.exe in Temporary Internet Files Folder, and it will execute it.

For more information about this exploit go to:
http://support.microsoft.com/default.aspx?scid=kb;en-us;330994

After foo.exe is executed the worm creates the following files:
%WINDOWS%videodrv.exe is a copy of foo.exe file
%WINDOWS%zip.tmp is the zipped file that will be sent as attachment when spreading.
%WINDOWS%exe.tmp is a copy of message.html
It also creates the following registry entry:

HKLMSoftwareMicrosoftWindowsCurrentVersionRunVideoDriver
with the value: %WINDOWS%videodrv.exe

The worm uses its SMTP engine for sending the e-mails. It searches for e-mails in every file except the files with the following extensions:
com, wav, cab, pdf, rar, zip, tif, psd, ocx, vxd, mp3, mpg, avi, dll, exe, gif, jpg and bmp.

All the addresses it finds are then added to the following file:
%WINDOWS%Eml.tmp

The worm sends itself to all email addresses has found in the same format it arrives.
NOTE: The html file inside the zip has variable size.

Last update 21 November 2011

 

TOP