Medium Alert Virus W32/Mimail.c@MM
01 November 2003, 10:58 AM
#1
Scooby Regular
Thread Starter
Join Date: May 2003
Posts: 1,165
Likes: 0
Received 0 Likes
on
0 Posts
Most AV Vendors has put this to Medium Alert
W32/Mimail.c@MM
-- Update October 31st 2003 07:20 PST --
This worm was mass-spammed, which appears to have been the initial "seeding". An attachment named undelivered.hta (proactively detected as Downloader-BO.dr with the 4250+ DAT files) creates the file c:\mware.exe . This executable is the W32/Mimail.c@MM worm. When the .hta file is run, the following message is displayed:
Your message will be sent again in 1 hour. If it doesn't arrive - we will delete it from queue.
--
Due to the increased number of samples being submitted to AVERT, the risk assessment of this threat was raised to medium.
--
This mass-mailing worm spreads as a .ZIP file, contains a denial of service attack, and information stealing payload.
It bears similarities to a previous worm, W32/Mimail@MM . However, this variant does not use the codebase (MS02-015 ) and MHTML (MS03-014 ) exploits that the previous variants did.
A summary of the virus characteristics are as follows:
contains it own SMTP engine for constructing messages
mails itself as a ZIP attachment
harvests email addresses from the local machine
sends large volume of data (garbage) to a remote server - DoS payload (see below)
captures information and emails it to four addresses
Scanning of compressed files should always be enabled for optimal detection.
Mail Propagation
Target email addresses are harvested from files on the victim's machine. The worm ignores address extraction from files that contain the following extensions:
avi
bmp
cab
com
dll
exe
gif
jpg
mp3
mpg
ocx
pdf
psd
rar
tif
vxd
wav
zip
Addresses are written to the file EML.TMP in %WinDir% (such as c:\windows). Testing shows the worm is overly lax in identifying valid email addresses - as a result messages are likely to be sent to invalid recipients.
Outgoing messages are sent using the worm's own SMTP engine. They are formatted as follows:
Subject : Re[2]: our private photos (plus additional spaces then random characters)
Attachment : PHOTOS.ZIP (12,958 bytes) which contains PHOTOS.JPG.EXE (12,832 bytes)
Message Body :
Hello Dear!,
Finally, i've found possibility to right u, my lovely girl
All our photos which i've made at the beach (even when u're withou ur bh)
photos are great! This evening i'll come and we'll make the best SEX
Right now enjoy the photos.
Kiss, James.
(random characters - the same as those terminating the subject)
Messages are constructed with the following X-headers:
X-Mailer: The Bat! (v1.62)
X-Priority: 1 (High)
The 'From' address of outgoing messages may be spoofed as follows:
james@(target domain.com)
Such as
james@abc.com
james@xyz.com
etc
As with previous variants, the mailing routing queries the mail server for the domain related to the target (harvested) address. Messages are then sent through that SMTP server. The worm contains a hardcoded IP address (212.5.86.163).
Denial of Service
The worm sends a large amount of data to remote servers (port 80 and ICMP). The worm verifies that a connection is active by contacting www.google.com. If successful, an attack is initiated on the following domains:
darkprofits.net
darkprofits.com
www.darkprofits.net
www.darkprofits.com
Information stealing payload
The following email address are encrypted within the virus body and are used to send captured information to. Analysis of the exact information gathered is ongoing.
omnibbb@gmx.net
drbz@mail15.com
omnibcd@gmx.net
kxva@mail15.com
Top of Page
Symptoms
Presence of the file NETWATCH.EXE (12,832 bytes)
Outgoing messages matching the description above
Large volumes of data being sent to port 80 of a remote server
Top of Page
Method Of Infection
When run on the victim machine, the worm installs itself into %WinDir% as NETWATCH.EXE. For example:
C:\WINNT\NETWATCH.EXE (12,832 bytes)
Three other files are also dropped into %WinDir%:
%WinDir%\EML.TMP - contains a list of the email addresses harvested from the victim machine
%WinDir%\EXE.TMP - copy of the worm
%WinDir%\ZIP.TMP - a ZIP archive containing the worm
System startup is hooked via the following Registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\
Run "NetWatch32" = C:\WINNT\NETWATCH.EXE
This worm is written in MSVC. The samples received by AVERT have been UPX packed.
W32/Mimail.c@MM
-- Update October 31st 2003 07:20 PST --
This worm was mass-spammed, which appears to have been the initial "seeding". An attachment named undelivered.hta (proactively detected as Downloader-BO.dr with the 4250+ DAT files) creates the file c:\mware.exe . This executable is the W32/Mimail.c@MM worm. When the .hta file is run, the following message is displayed:
Your message will be sent again in 1 hour. If it doesn't arrive - we will delete it from queue.
--
Due to the increased number of samples being submitted to AVERT, the risk assessment of this threat was raised to medium.
--
This mass-mailing worm spreads as a .ZIP file, contains a denial of service attack, and information stealing payload.
It bears similarities to a previous worm, W32/Mimail@MM . However, this variant does not use the codebase (MS02-015 ) and MHTML (MS03-014 ) exploits that the previous variants did.
A summary of the virus characteristics are as follows:
contains it own SMTP engine for constructing messages
mails itself as a ZIP attachment
harvests email addresses from the local machine
sends large volume of data (garbage) to a remote server - DoS payload (see below)
captures information and emails it to four addresses
Scanning of compressed files should always be enabled for optimal detection.
Mail Propagation
Target email addresses are harvested from files on the victim's machine. The worm ignores address extraction from files that contain the following extensions:
avi
bmp
cab
com
dll
exe
gif
jpg
mp3
mpg
ocx
psd
rar
tif
vxd
wav
zip
Addresses are written to the file EML.TMP in %WinDir% (such as c:\windows). Testing shows the worm is overly lax in identifying valid email addresses - as a result messages are likely to be sent to invalid recipients.
Outgoing messages are sent using the worm's own SMTP engine. They are formatted as follows:
Subject : Re[2]: our private photos (plus additional spaces then random characters)
Attachment : PHOTOS.ZIP (12,958 bytes) which contains PHOTOS.JPG.EXE (12,832 bytes)
Message Body :
Hello Dear!,
Finally, i've found possibility to right u, my lovely girl
All our photos which i've made at the beach (even when u're withou ur bh
)photos are great! This evening i'll come and we'll make the best SEX
Right now enjoy the photos.
Kiss, James.
(random characters - the same as those terminating the subject)
Messages are constructed with the following X-headers:
X-Mailer: The Bat! (v1.62)
X-Priority: 1 (High)
The 'From' address of outgoing messages may be spoofed as follows:
james@(target domain.com)
Such as
james@abc.com
james@xyz.com
etc
As with previous variants, the mailing routing queries the mail server for the domain related to the target (harvested) address. Messages are then sent through that SMTP server. The worm contains a hardcoded IP address (212.5.86.163).
Denial of Service
The worm sends a large amount of data to remote servers (port 80 and ICMP). The worm verifies that a connection is active by contacting www.google.com. If successful, an attack is initiated on the following domains:
darkprofits.net
darkprofits.com
www.darkprofits.net
www.darkprofits.com
Information stealing payload
The following email address are encrypted within the virus body and are used to send captured information to. Analysis of the exact information gathered is ongoing.
omnibbb@gmx.net
drbz@mail15.com
omnibcd@gmx.net
kxva@mail15.com
Top of Page
Symptoms
Presence of the file NETWATCH.EXE (12,832 bytes)
Outgoing messages matching the description above
Large volumes of data being sent to port 80 of a remote server
Top of Page
Method Of Infection
When run on the victim machine, the worm installs itself into %WinDir% as NETWATCH.EXE. For example:
C:\WINNT\NETWATCH.EXE (12,832 bytes)
Three other files are also dropped into %WinDir%:
%WinDir%\EML.TMP - contains a list of the email addresses harvested from the victim machine
%WinDir%\EXE.TMP - copy of the worm
%WinDir%\ZIP.TMP - a ZIP archive containing the worm
System startup is hooked via the following Registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\
Run "NetWatch32" = C:\WINNT\NETWATCH.EXE
This worm is written in MSVC. The samples received by AVERT have been UPX packed.
Thread
Thread Starter
Forum
Replies
Last Post
smunns
Dealer and Third Party Supplier Queries
5
14 September 2015 08:08 PM