View Full Version : Yellow Alert - WORM_MIMAIL.C (Medium Risk)


Andrew
11-01-03, 02:04 PM
[Thanks to Poundpuppy for sending me this alert]

Yellow Alert - WORM_MIMAIL.C(Medium Risk)
As of 8:02 a.m. U.S. Pacific Time, Trend Micro has
declared a Yellow Alert to control the spread of
WORM_MIMAIL.C .

This memory-resident Internet worm propagates via
email using its own SMTP engine. It runs on Windows
95, 98, ME, NT, 2000, and XP. The email arrives with
the following:

To: admin@???

Subject: Re[2]: our private photos ???

Message Body:
Hello Dear!,
Finally i've found possibility to right u, my lovely
girl All our photos which i've made at the beach
(even when u're without ur bh:)) photos are great!
This evening i'll come and we'll make the best SEX

Right now enjoy the photos.
Kiss, James.
??? (Note: ??? is a variable string)


Attachment: photos.zip

Upon execution, this memory-resident worm drops a copy
of itself as NETWATCH.EXE in the Windows folder. It
then creates a registry entry so that its dropped copy
executes at every system startup.

This malware also creates the following files in the
%Windows% directory:

EML.TMP - contains the compiled and gathered email
addresses from the local machine
ZIP.TMP - the .ZIP file that this worm sends as a
mail attachment
EXE.TMP - a UPX-compressed Win32 .EXE file

This mass-mailing worm arrives as an email attachment,
which is a .ZIP file containing an .HTML file and a
UPX-compressed Win32 .EXE file.

When the .HTML file is opened, the malware code is
executed and exploits Internet Explorer's security
system vulnerability. It then launches the .EXE file,
which carries the worm program.

It also uses Simple Mail Transfer Protocol (SMTP)
servers and user names gathered from files not having
the following extensions:

COM
WAV
CAB
PDF
RAR
ZIP
TIF
PSD
OCX
VXD
MP3
MPG
AVI
DLL
EXE
GIF
JPG
BMP

It performs a Denial of Service (DoS) attack against
the IP address 63.246.128.180
(http://www.darkprofits.com) by sending the following
data:

ICMP packets (garbage data? - This is still under
investigation.)
HTTP packets (garbage data? - This is still under
investigation.)

It performs this routine using several threads,
resulting in an increase or flooding of ICMP messages
in the infected host network.

If you would like to scan your computer for
WORM_MIMAIL.C or thousands of other worms, viruses,
Trojans and malicious code, visit HouseCall, Trend
Micro's free, online virus scanner at:
http://housecall.trendmicro.com

WORM_MIMAIL.C is detected and cleaned by Trend Micro
pattern file #666 and above.