W32/Mimail.t@MM

Discussion in 'malware problems & news' started by Marianna, Feb 13, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    This mass-mailing email worm was spammed to many email recipients during the initial seeding.

    The worm constructs email messages using its own SMTP engine.

    The spammed message is as follows:

    From: "Nancy"
    Subject: Re:Gollum

    Hi Gollum its Nancy.,

    I was shocked, when I found out that it wasn't you but your twin brother!!! That's amazing, you're as like as two peas. No one in bed is better than you Gollum. I remember, I remember everything very well, that promised you to tell how it was, I'll give you a call today after 9.

    ... omitted ...

    I'm so thankful to you, for acquainted me to your brother. I think we can do it on the next Saturday all three together? What do you think? O yes, as you wanted I've made a few pictures check them out in archive, I hope they will excite you, and you will dream of our new meeting...



    Attachment :

    Fail.hta (password-protected zip file - 13,503 bytes), containing test.exe (14,880 bytes).
    Users may receive another seeding of the message containing the actual password to the ZIP file.
    The worm checks to see whether there is a valid Internet connection by attempting to connect to www.google.com .

    Mail Propagation
    Target email addresses are harvested from files on the victim's machine. The worm ignores address extraction from files that contain the following extensions:

    avi
    bmp
    cab
    com
    dll
    exe
    gif
    jpg
    mp3
    mpg
    ocx
    pdf
    psd
    rar
    tif
    vxd
    wav
    zip
    Other data (RAS details, passwords, e-gold information - still under analysis) may also be harvested from the victim machine.

    Denial of Service Payload
    The worm attempts to cause a denial of service on the following domains, via ICMP and HTTP traffic.

    darkprofits.ws
    darkprofits.cc
    darkprofits.net
    darkprofits.com
    www.darkprofits.ws
    www.darkprofits.cc
    www.darkprofits.net
    www.darkprofits.com

    http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100996
     
Thread Status:
Not open for further replies.