W32/Mimail.t@MM

This mass-mailing email worm was spammed to many email recipients during the initial seeding.

The worm constructs email messages using its own SMTP engine.

The spammed message is as follows:

From: "Nancy"
Subject: Re:Gollum

Hi Gollum its Nancy.,

I was shocked, when I found out that it wasn't you but your twin brother!!! That's amazing, you're as like as two peas. No one in bed is better than you Gollum. I remember, I remember everything very well, that promised you to tell how it was, I'll give you a call today after 9.

... omitted ...

I'm so thankful to you, for acquainted me to your brother. I think we can do it on the next Saturday all three together? What do you think? O yes, as you wanted I've made a few pictures check them out in archive, I hope they will excite you, and you will dream of our new meeting...



Attachment :

Fail.hta (password-protected zip file - 13,503 bytes), containing test.exe (14,880 bytes).
Users may receive another seeding of the message containing the actual password to the ZIP file.
The worm checks to see whether there is a valid Internet connection by attempting to connect to www.google.com .

Mail Propagation
Target email addresses are harvested from files on the victim's machine. The worm ignores address extraction from files that contain the following extensions:

avi
bmp
cab
com
dll
exe
gif
jpg
mp3
mpg
ocx
pdf
psd
rar
tif
vxd
wav
zip
Other data (RAS details, passwords, e-gold information - still under analysis) may also be harvested from the victim machine.

Denial of Service Payload
The worm attempts to cause a denial of service on the following domains, via ICMP and HTTP traffic.

darkprofits.ws
darkprofits.cc
darkprofits.net
darkprofits.com
www.darkprofits.ws
www.darkprofits.cc
www.darkprofits.net
www.darkprofits.com

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100996