05/11/2003

New MiMail variants

New MiMail variants have been discovered, that attach the following files: photos.zip (MiMail.C) and readnow.zip (MiMail.E).

Name: I-WORM.MiMail.C

AKA: 

Type: Internet Worm

Size: 12958 byte (photos.zip), 12832 byte (photos.jpg.exe)

Platform: Win 95/98/ME/NT/2000/XP 

Description:

MiMail.C is a new MiMail variant.
This worm spread itself through emails, by retrieving email addresses from the infected pc.

The worm sends email messages with the following sender:

james@<SERVER NAME>

where <SERVER NAME> changes from provider to provider.

Messages could have these subjects:

Re[2]: our private photos 

Followed by some spaces and some random characters, like in the example below:

Re[2]: our private photos                             kiikafea

With this message body:

Hello Dear!,

Finally i've found possibility to right u, my lovely girl :)
All our photos which i've made at the beach (even when u're without ur bh:))
photos are great! This evening i'll come and we'll make the best SEX :)

Right now enjoy the photos.
Kiss, James.
kiikafea

You can see some random charatcters at the end of the body, they will be the same as ones in the subject.

The worm attach the following .ZIP infected file:

photos.zip


photos.zip contains photos.jpg.exe, that is clearly NOT an image but an executable file.

Once executed, photos.jpg.exe creates on Windows System Folder a file named netwatch.exe
and then edits some registry keys to execute it at every computer startup.

It also creates:
1) Zip.tmp di 12958 byte (copy of photos.zip) 
2) Exe.tmp di 12832 byte (copy of photos.jpg.exe)

Name: I-WORM.MiMail.E

AKA: 

Type: Internet Worm

Size: 10912 byte (readnow.zip), 10784 byte (readnow.doc.scr)

Platform: Win 95/98/ME/NT/2000/XP 

Description:

This worm spread itself through emails, by retrieving email addresses from the infected pc.

The worm sends email messages with the following sender:

john@<NOME SERVER>

where <SERVER NAME> changes from provider to provider.

Messages could have these subjects:

don't be late! 


Followed by some spaces and some random characters, like in the example below:
 don't be late!                     muvmpnep

With this message body:
Will meet tonight as we agreed, because on Wednesday I don't think I'll make it,

so don't be late. And yes, by the way here is the file you asked for.
It's all written there. See you.

muvmpnep


You can see some random charatcters at the end of the body, they will be the same as ones in the subject.

The worm attach the following .ZIP infected file:

 readnow.zip

photos.zip contains photos.jpg.exe, that is clearly NOT an image but an executable ScreenSaver file.


Once executed, readnow.doc.scr creates on Windows System Folder a file named sysload32.exe
and then edits some registry keys to execute it at every computer startup.

It also creates:
1) Zip.tmp di 12958 byte (copy of readnow.zip) 
2) Exe.tmp di 12832 byte (copy of readnow.doc.scr)

 


Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: