Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Mimail_Based@mm


Destructivity MEDIUM MEDIUM
Payload Attempts to steal credit card/e-gold information
Detection files published 25 Jan 2004 03:00:00
Description created 31 Jan 2004 05:43:00
Description updated 05 Feb 2004 05:43:00
Malware type WORM
Spreading mechanism EMAIL
Summary None



The worm creates a registry key in
called “System", which points to either “%WINDIR%\Outlook.exe" or “%WINDIR%\Sys32.exe". This ensures that the worm is started with Windows. Mimail then copies itself to %WINDIR% as Oulook.exe and Sys32.exe.

The worm will also create/set some other registry keys throughout exececution. These are:

CurrentVersion\Explorer\Explorer to “1"
CurrentVersion\Explorer\Explorer2 to “1"
CurrentVersion\Explorer\Explorer3 to “1"
CurrentVersion\Explorer\Explorer4 to “1"
CurrentVersion\Explorer\Explorer5 to “1"
The worm then hides itself from the process list on Windows 95, 98 and Me.
Mimail then probes ports 80 (World Wide Web), 1434 (Microsoft-SQL-Monitor) and 1433 (Microsoft-SQL-Server) on the local machine to determine if they are open. The results are stored in c:\serv.txt before being mailed to an anonymous e-mail address. The file is then deleted.
The worm will then create 4 files on disk, logo.jpg, logobig.gif, mshome.hta and wind.gif. The file mshome.hta is a web page that informs the user that their version of Windows has expired and prompts them to enter personal information to re-activate it.

The information requested includes:

Full name Country, State, Zip City, Billing address Phone number E-mail address Credit card number, expiry date, CVV/CVC number and PIN Social Security number Mothers maiden name Date of birth Driving license number
(Image not available)

The information harvested is then mailed to an anonymous e-mail address.
The worm then searches in various locations on the hard disk for files that may contain e-mail addresses. If a file is found without the following extension .com, .wav, .cab, .pdf, .rar, .zip, .tif, .psd, .ocx, .vxd, .mp3, .mpg, .avi, .dll, .exe, .gif, .jpg or .bmp then it is searched for mail addresses. The mail addresses are then stored in %WINDIR%\Outlook.cfg, and like the port information and credit card details, they are mailed to another anonymous e-mail account.
The worm then mails a polymorphic variant of itself to all the mail addresses found. Mimail will send the mail via the recipients SMTP server.

The attachment name consists of four parts, the first is a string, the second is a separator, the third is another string and the last part is its extension. All four parts are selected at random and may be:

First part: my, priv, private, prv, the, best, super, great, cool, wild, sex, f*ck.
Separator: _, __, - (Underscore, double underscore or a hyphen)
Second part: pic, img, phot, photos, pctrs, images, imgs, scene, plp, act, action.
Extension: .pif, .scr, .exe, .jpg.scr, .jpg.pif, .jpg.exe, .gif.exe, .gif.pif, .gif.scr

The mails that Mimail sends are quite variable, both in subject lines and body, and are built in much the same way as the attachment file name is.

The worm also contains the following threat:

*** GLOBAL WARNING: if any free email company or hosting company will close/filter my email/site accounts, it will be DDoS’ed in next version. WARNING: will be DDoS’ed in next versions, coz they have closed my mimail-email account. Who next? ***

Payload Details

Mimail will open port 3000 on the infected machine, and if a connection attempt is made it will create a pipe to a command prompt, which can then be operated by the remote attacker.Mimail also attempts to steal credit card and e-gold account information and mail them to various e-mail accounts.





Last Updated: 12 Nov 2015 11:06:12