W32/Mimail.u@MM

Discussion in 'malware problems & news' started by Marianna, Feb 13, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    This mass-mailing email worm was spammed to many email recipients during the initial seeding.

    The spammed message is as follows:

    Subject: Your account delete

    Your account is deleted.
    Details see in file.

    ----

    SSGroup Support

    <212> 799-03-21




    The worm checks to see whether there is a valid Internet connection by attempting to connect to the following domains:

    google.com
    yahoo.com
    demos.ru
    kernel.org
    navy.mil
    It attempts to connect to several IRC servers and waiting for further commands.

    Mail Propagation
    Target email addresses are harvested from files on the victim's machine and written to the following file:

    C:\cyclop.bin
    The worm ignores address extraction from files that contain the following extensions:

    avi
    bmp
    cab
    com
    dll
    exe
    gif
    jpg
    mp3
    mpg
    ocx
    pdf
    psd
    rar
    tif
    vxd
    wav
    zip




    Analysis is still on-going.

    http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101021
     
Thread Status:
Not open for further replies.