Win32.Mimail.Q@mm

( I-Worm.Mimail.Q )

SYMPTOMS:

The following files in %windir%:
Sys32.exe, sys32.cfg
Outlook.exe, outlook.cfg
crc32.cfg
The following files in C:\ directory:
Mshome.hta, Logo.jpg, wind.gif, logobig.gif
tmpeg2.txt
tmpgld.txt
Serv.txt
mminfo2.txt, mminfo.txt
The following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\system with value %windir%\sys32.exe

TECHNICAL DESCRIPTION:

This is an polymorphic mass mailer with backdoor capabilities.
It arrives in the following format:
From:
James2000@yahoo.com
or
%name%@%yourdomain%.%domain%
where %name% can be any name from the following list:

"john"
"alex"
"bob"
"robert"
"admin"
"root"
"adm"
"michael"
"sex"
"ben"
"bill"
"freddie"
"brian"
"roger"
"dan"
"george"
"jack"
"james"
"kevin"
"paul"
"peter"
"steve"
"thomas"
"victor"
"anthony"
"rick"

%yourdomain% is your computer domain name.
%domain% is one of the following:

.net
.com
.org

Subject and body:
A combination of words contained in the worm body.
Example:
Subject:
cool pictures just for you
Body:
Hello my darling Barbara
It’s amazing
My sister had best sex I ever seen last night with the friend of Alice
I turned on my digital hp video camera and create a lot of excellent pictures!
I beg you do not show it anybody else, deal?

Attachment:
A combination from the following words:

My, priv, private, prv, the, best, super, great, cool, wild, sex and
Pic, img, phot, photos, pctrs, images, imgs, scene, plp, act, action

with one of the following extensions:

.pif, .scr, .exe, .jpg.scr, .jpg.pif, .jpg.exe, .gif.exe, .gif.pif, .gif.scr

Example of attachment:

My_Photos.jpg.pif

It is made by 2 components:
a polimorphic dropper and the worm itself.
The dropper is the file that comes as an attachment in an infected e-mail. When the user opens the attachment the dropper polymorphs itself and copies itself to %windir%\sys32.exe
It adds the registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\system with value:%windir%\sys32.exe
Then it drops the file outlook.exe in %windir%, it executes it and displays an error message:
'ERROR: Bad CRC32'

The outlook.exe is the internet worm.
After it is run it does the following:
It scans for internet services running at the infected computer and sends them
to some e-mail address.
It gathers e-mail addresses from all the files in computer except files with the
the following extensions:
com, wav, cab, pdf, rar, zip, tif, psd, ocx, vxd, mp3, mpg, avi, dll, exe, gif, jpg, bmp
It saves the e-mail addresses it finds in the following file:
%windir%\outlook.cfg
It sends the <sys32.exe file to all the e-mail addresses it the same format it arrives.
It opens a shell on port 3000 and waits for connections.
It waits for remote connections on port 6667.
It drops the file c:\mshome.hta and executes it.
The hta file it is used for gathering personal information. These information are then sent to some e-mail addresses
The worm also uses the following registry keys for keeping track of its progress:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\
Explorer,
Explorer2
Explorer3
Explorer4
Explorer5

The worm contains the following text:

*** GLOBAL WARNING: if any free email company or hosting company will close/filter my email/site accounts, it will be DDoS'ed in next version. WARNING: ********* will be DDoS'ed in next versions, coz they have closed my mimail-email account. Who next? *** visit our friendly site **************'

Removal instructions:

Let BitDefender delete the infected files it finds

ANALYZED BY:

Sorin Victor Dudea