can we have the compressed scanning option now?

MiMail worm uses ZIP files to rampage across corporations

Beware the variant is in the wild


By INQUIRER staff: Friday 31 October 2003, 19:52

A NEW variant of the MiMail worm family, version C, is proliferating across the world, according to security firm iDefense.
MiMail.C has a DDoS component to attack DarkProfits domains and there's likely to be increased activity on Port 80, according to Ken Dunham a security officer at the firm.

He says it's dangerous for corporation, many of which allow people to transfer ZIP files to each other using email.

That means, he says, that MiMail.C "has the upper hand when infiltrating networks configured to allow ZIP attachments".

Anti-viral programs should be tweaked to check compressved archives, he warns. But some AV progs might experience difficulties scanning such archives.

There is a free removal tool. The EXE file can be found at Bit Defender, Dunham said. µ

 

I agree with you. This MiMail.C is spreading across networks in a .zip file format. I got one today in a .rar file format. I've been asking for this feature ever since NOD32V2 was released. The feature was available in NOD32V2B5 where in the beta version NOD32 you only could delete the whole archive, not just a particular file. In the near future we plan
to incorporate support for performing actions on files within archive so
it will be possible to replace an infected file with its clean copy. I have been told the following by ESET Moderators:

"We try to implement it asap - anyway - we have some more important fixes to implement now." This posted on August 8, 2003.

"Well, to write the truth:

there is a plan to implement it. Now there are more people that need help with more important things - e.g. some software conflicts, etc. When we'll fix these things, the compression issue follows." This was written on August 28, 2003.

"Sorry - there are still more important things to do - being pretty busy."
This was on October 23, 2003.

The thread I started is titled Problems w/ scanning from the context menu here is the link:

http://www.wilderssecurity.com/showthread.php?t=10337

I started this thread back on June 15, 2003 and it is now November 3, 2003. This issue has yet to be resolved and it is almost been six months now. I would hope after this latest threat it would move this feature to the foreground of things to be implemented asap. Iwould appreciate a response from an ESET Moderator. Thanks again for the help again in advance.

 

I'll add my vote in support of this option.

I've heard all the arguments against it, that it isn't needed etc.,
now there is a very good reason to have it.

I've been impressed by radicalb21's efforts to get this compressed scanning issue resolved. I would like the requests to be taken seriously, and not just shuffled off as unimportant.


Thanks for listening - I love NOD32 V2 -

gj

 

Thanks for everyones support about this issue. I would appreciate a response from any of the ESET Moderators in this forum as well as any other forum moderator or administrator. I believe this feature is now needed to be added asap. This is in response to the recent threat from MiMail.C being compressed in a .zip file format and going accross networks. Thanks again in advance.

 

Ok here is the writeup from two companies since once again NOd32 didn't say anything about it nor did they release a tool (thus an Symantec tool must be used).
REMOVAL TOOL
Symantec type: http://www.symantec.com/avcenter/FxMimail.exe


THE C STRAIN
When W32.Mimail.C@mm is executed, it does the following:


Copies itself as %Windir%\Netwatch.exe.


--------------------------------------------------------------------------------
Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
--------------------------------------------------------------------------------


Adds the value:

"NetWatch32" = "%Windir%\netwatch.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


Collects email address from all the files on the computer, except those with the extensions:

com
wav
cab
pdf
rar
zip
tif
psd
ocx
vxd
mp3
mpg
avi
dll
exe
gif
jpg
bmp


Writes all the email addresses to the file, %Windir%\eml.tmp.


Checks to see whether there is a valid Internet connection by attempting to connect to www.google.com.


Captures text from specific windows and sends the data to predetermined email addresses.


Sends email messages using its own SMTP engine. For each email address the worm gathers, it will:

Look up the Mail Exchange (MX) record for the domain name using the DNS server of the current host. If a DNS server is not found, it will default to 212.5.86.163.
Acquire the mail server associated with that particular domain.
Directly contact the destination server.

The email has the following characteristics:

From: james@<current domain> (The from address may be spoofed to appear that it is coming from the current domain)

Subject: Re[2]: our private photos [random sequence of letters]

Message:
Hello Dear!,

Finally i've found possibility to right u, my lovely girl
All our photos which i've made at the beach (even when u're without ur bh)
photos are great! This evening i'll come and we'll make the best SEX
Right now enjoy the photos.

Kiss, James.
[random sequence of letters]

Attachment: photos.zip


--------------------------------------------------------------------------------
Note: Photos.zip contains only one file, photos.jpg.exe.
--------------------------------------------------------------------------------


Perform a Denial of Service (DoS) with the following characteristics:

Randomly selects a site from the names below:

1. darkprofits.net
2. www.darkprofits.net
3. darkprofits.com
4. www.darkprofits.com

DoS routine is designed to have 15 attacking threads active at any moment.
Each thread performs one TCP connection or an ICMP attack, then sleeps for 5 seconds.
Randomly chooses to perform a TCP connection on port 80 or an ICMP attack.
The packets sent to the victim carry a 2k payload filled with random data.
Uses a random ICMP type when performing the ICMP attack.
The data sent is either the GET request or some random data when performing the HTTP connection.

Creates two additional files in the %Windir% folder:

Zip.tmp: a temporary copy of message.zip (12,958 bytes).
Exe.tmp: a temporary copy of message.html (12,832 bytes).




THE D STRAIN IS BELOW
Presence of the next files in %WINDOWS% folder:

cnfrm.exe
eml.tmp
exe.tmp
zip.tmp

- Presence of the next registry key:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"Cnfrm32"="%WINDOWS%\cnfrm.exe"]

where %WINDOWS% points to Windows folder (or WinNT on Windows NT based systems)



Technical description:

Like its predecessors, versions A and C, Win32.Mimail.D@mm spreads via e-mail.

The e-mail format is as follows:

From: john@?? (? means any domain, for example yahoo.com etc)
Subject: don't be late!
Body:
Will meet tonight as we agreed, because on Wednesday I don't think I'll make it,

so don't be late. And yes, by the way here is the file you asked for.
It's all written there. See you.
Attachmet: readnow.zip (containing file readnow.doc.scr)


Once run, the virus does the following:

- On Windows 9x[me=]systems, hides its presence using RegisterServiceProcess, and thus it cannot be seen in Task Manager. [/me]

- copies itself as cnfrm.exe in in %WINDOWS% folder

- creates zip.tmp (copy of readnow.zip) and exe.tmp (copy of readnow.doc.scr) in %WINDOWS% folder

- creates the registry key
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Cnfrm32="%WINDOWS%\cnfrm.exe"
- searches for e-mail addresses in files inside "Program Files" folder and also in files found using the registry list of folders
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folder] and filters out files with extension:
com wav cab pdf rar zip tif psd ocx vxd mp3 mpg avi dll exe gif jpg bmp
and stores harvested e-mail addresses in file %WINDOWS%\eml.tmp

- uses it's own smtp server to send itself; for each e-mail address harvested, it querries the host's DNS server for the domain name associated with the harvested e-mail address and attempts to send itself through that domain's smtp address or, if it fails, it uses the smtp address 212.5.86.163

- checks if the infected computer is connected to the internet by attempting to access www.google.com

- attempts dos attacks on (www.)spews.org, (www.)spamhaus.org, (www.)spamcop.net


Manual removal

Open Task Manager pressing [CTRL]+[ALT]+[DEL] or [CTRL]+[SHIFT]+[ESCAPE] for Win2000/XP
use "End Process" on cnfrm.exe
delete the files eml.tmp exe.tmp zip.tmp from Windows folder

open Registry Editor (click Start, Run and enter regedit)
remove the key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Cnfrm32]

Automatic removal:
Let BitDefender disinfect/delete files found infected

 

Here is what I found on ESET Italy site. Here is a translated version of the document:

"This worm of diffuses via Internet through email infette, that it sendes through a just motor smtp (Simple Mail Transfer Protocol). The email is introduced in the following way: Sender: james (james@dominio_di_appartenenza). The dominion comes adulterated in order to appear equal to that one which the destinatatario belongs. Object: Re[2 ]: our private photos Importance: High Message: Hello Dear!, Finally i' ve found possibility to right u, my lovely girl All our photos which i' ve made at the beach (even when u' king without ur bh) photos to are great! This evening i' ll like and we' ll make the best SEX Right now enjoy the photos. Kiss, James. Attached: photos.zip attached L?archivio ZIP to the message contains rows eseguibile with double extension, photos.jpg.exe. The double extension comes used in order to draw in deceit the customers whose operating system is not shaped in order to show l?estensione of the known rows: with this type of formulation the customers will see only l?estensione jpg. The worm eseguibile with format Portable Executable to 32 bit and compressed program with UPX is constituted, whose 12832 dimension is of byte. An executed time, the worm creates the following rows in the predefined folder of Windows netwatch.exe? copy of worm (the 12832 byte) exe.tmp? copy of worm (the 12832 byte) zip.tmp? copy of rows photos.zip (12958 byte) In order to be executed in automatic rifle to every start of Windows, the worm adds a new the following value in key of the Registry of system: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \ Run "NetWatch32" = %Windir%\netwatch.exe where %Windir% represent the distance of the folder of Windows on the infected system. In the infected computer the worm it tries of the addresses of e-mail to which to send if same. The worm it carries out such search in all the rows with the exception of that they have the following extensions: grandfathers? bmp? cab? com? DLL? exe? GIF? jpg? mp3? mpg? ocx? pdf? psd? rar? tif? vxd? wav? zip the addresses find to you are memorizza you in the rows eml.tmp, created from the worm all?interno of the predefined folder of Windows. The worm it tries of following capacities an attack Denial Of Service to situated darkprofits.com darkprofits.net www.darkprofits.com www.darkprofits.net the worm examines also the windows of the applications opened to the search of possible relative activities to the situated one http://www.e-gold.com, dedicated to the trattazione dell?oro. In case positvo, the worm it records some give to you in the rows c:\tmpe.tmp. - text edited by Paul Rome, 30,10,2003 Mounts - Last modernization: 03.11.2003"

There is also a removal tool posted on the same site.

 

Hi,

as you probably know, NOD32 scans inside zips, it just doesn't clean/delete malware inside them - that is detected by AMON upon extraction of the compressed file. We want to add this feature for your convenience, but there are really bigger priorities now. It can take a bit longer time.

NOD32 detects and deletes various versions of Mimail.

Thanks for your understanding and patience

jan

 

Thanks Jan. For the update.