Home / malware Win32.Mimail.C@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Mimail.C@mm is also known as W32/Mimail-C, (Sophos.
Explanation :
The worm spreads itself via email, attatched as "photos.zip" and is found in mails with subject "Re[2]: our private photos" and body as follows:
Finally i've found possibility to right u, my lovely girl :)
All our photos which i've made at the beach (even when u're without ur bh:))
photos are great! This evening i'll come and we'll make the best SEX :)
Right now enjoy the photos.
Kiss, James.
Even if it is a brand new malware, the first thing it does when run is to import and call "RegisterServiceProcess" from KERNEL32.DLL, a function available only for Win9x in order to hide its process from Task Manager.
After that the worm copies itself in %WINDIR% directory and starts collecting mail addressing scanning recursively filtering files under "Program Files" folder and HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folder registry list of folders for strings with form "xxx@xxx.xxx" - mail addresses - where xxx is almost any non-null string. Because of the way this function was written it seems it was included in source as assembler code.
The files are filtered by their extension and .com, .wav, .cab, .pdf and other binary files are excluded from search.
Some hard coded mail address are included in executable body as follows:
omnibbb@gmx.net
omnibcd@gmx.net
drbz@maill5.com
kxva@maill5.com
It was written in C++ and compiled using LCC-Win32.Last update 21 November 2011