Win32.Mimail.D,E,F,H@mm( W32/Mimail.gen@MM (Mcafee) )
SYMPTOMS: - Presence of the next files in %WINDOWS% folder: exe.tmp zip.tmp eml.tmp cnfrm.exe (variants D@mm and E@mm) sysload32.exe (variant F@mm) cnfrm33.exe (variant H@mm) - Presence of any of the next registry keys: For D@mm and E@mm variants: [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\] contains the value "Cnfrm32"="%WINDOWS%\cnfrm.exe" For F@mm variant: [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\] contains the value "SystemLoad32"="%WINDOWS%\sysload32.exe" For H@mm variant: [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\] contains the value "Cn323"="%WINDOWS%\cnfrm33.exe" where %WINDOWS% points to Windows folder (or WinNT on Windows NT based systems). TECHNICAL DESCRIPTION: There are only small differences between the two variants, D and F. Like their predecessors, versions A and C, these versions also spread via e-mail. The e-mail format is as follows: From: john@???????? (??????? means any domain, for example yahoo.com etc) Subject: don\'t be late! (30 spaces) ???????? (? may be any letter) Body: Will meet tonight as we agreed, because on Wednesday I don't think I'll make it, so don't be late. And yes, by the way here is the file you asked for. It's all written there. See you. Attachmet: readnow.zip (containing file readnow.doc.scr) Once run, the virus does the following: - On Windows 9x/Me systems, hides its presence using RegisterServiceProcess, and thus it cannot be seen in Task Manager. - copies itself as cnfrm.exe (D@mm and E@mm variants) sysload32.exe (F@mm variant) cnfrm33.exe (H@mm variant) in %WINDOWS% folder - creates zip.tmp (copy of readnow.zip) and exe.tmp (copy of readnow.doc.scr) in %WINDOWS% folder - creates the registry key variants D@mm and E@mm: [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\] with the value "Cnfrm32"="%WINDOWS%\cnfrm.exe" variant F@mm: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\] with the value "SystemLoad32"="%WINDOWS%\sysload32.exe" variant H@mm: [[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\] with the value ["Cn323"="%WINDOWS%\cnfrm33.exe" - searches for e-mail addresses in files inside Program Files folder and also in files found using the registry list of folders [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folder] and filters out files with extension: com, wav, cab, pdf, rar, zip, tif, psd, ocx, vxd, mp3, mpg, avi, dll, exe, gif, jpg, bmp, and stores harvested e-mail addresses in file %WINDOWS%\eml.tmp - uses it's own smtp server to send itself; for each e-mail address harvested, it querries the host's DNS server for the domain name associated with the harvested e-mail address and attempts to send itself through that domain's smtp address or, if it fails, it uses the smtp address 212.5.86.163 - checks if the infected computer is connected to the internet by attempting to access www.google.com - attempts dos attacks Removal instructions: Manual removal Open Task Manager pressing [CTRL]+[ALT]+[DEL] or [CTRL]+[SHIFT]+[ESCAPE] for Win2000/XP use "End Process" on cnfrm.exe or sysload32.exe or cnfrm33.exe delete the files eml.tmp, exe.tmp, zip.tmp from Windows folder; open Registry Editor (click Start, Run and enter regedit) remove any of the keys: [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Cnfrm32] [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemLoad32] [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Cn323] Automatic removal: Let BitDefender disinfect/delete files found infected. ANALYZED BY: Patrik Vicol BitDefender Virus Researcher |