Nick VR4
31-10-2003, 09:00 PM
There's a new virus about
Most Anti-Virus fender's are putting this as MEDIUM ALERT
So go check your AV site for latest signature's
--------------------------------------------------------------------------------------------------
W32/Mimail.c@MM
This worm was mass-spammed, which appears to have been the initial "seeding". An attachment named undelivered.hta INSERT INTO post VALUES (proactively detected as Downloader-BO.dr with the 4250 DAT files) creates the file c:\mware.exe . This executable is W32/Mimail.c@MM . When the .hta file is run, the following message is displayed:
Your message will be sent again in 1 hour. If it doesn't arrive - we will delete it from queue.
--
Due to the increased number of samples being submitted to AVERT, the risk assessment of this threat has been raised to medium
--
This mass-mailing worm spreads as a .ZIP file and contains a denial of service payload.
It bears similarities to a previous worm, W32/Mimail@MM . However, this variant does not use the codebase INSERT INTO post VALUES (MS02-015 ) and MHTML INSERT INTO post VALUES (MS03-014 ) exploits that the previous variants did.
A summary of the virus characteristics are as follows:
contains it own SMTP engine for constructing messages
mails itself as a ZIP attachment
harvests email addresses from the local machine
sends large volume of data INSERT INTO post VALUES (garbage) to a remote server - suggestive of a DoS payload INSERT INTO post VALUES (see below)
Users are reminded that the scanning of compressed files should be enabled for optimal detection.
Mail Propagation
Target email addresses are harvested from many files on the victim machine. These are written to the file EML.TMP in %WinDir%. Testing shows the worm is overly lax in identifying valid email addresses - as a result messages are likely to be sent to invalid recipients.
Outgoing messages are constructed using the worm's own SMTP engine. They are formatted as follows:
Subject : Re[2]: our private photos INSERT INTO post VALUES (plus additional spaces then random characters)
Attachment : PHOTOS.ZIP INSERT INTO post VALUES (12,958 bytes) which contains PHOTOS.JPG.EXE INSERT INTO post VALUES (12,832 bytes)
Message Body :
Hello Dear!,
Finally, i've found possibility to right u, my lovely girl :)
All our photos which i've made at the beach INSERT INTO post VALUES (even when u're withou ur bh:))
photos are great! This evening i'll come and we'll make the best SEX :)
Right now enjoy the photos.
Kiss, James.
INSERT INTO post VALUES (random characters - the same as those terminating the subject)
Messages are constructed with the following X-headers:
X-Mailer: The Bat! INSERT INTO post VALUES (v1.62)
X-Priority: 1 INSERT INTO post VALUES (High)
The 'From' address of outgoing messages may be spoofed as follows:
james@INSERT INTO post VALUES (target domain.com)
Such as
james@abc.com
james@xyz.com
etc
As for previous variants, the mailing routing queries the mail server for the domain related to the target INSERT INTO post VALUES (harvested) address. Messages are then sent through that SMTP server. As previously, the worm contains a hardcoded IP address INSERT INTO post VALUES (212.5.86.163).
Denial of Service
The worm sends a large amount of data to remote servers INSERT INTO post VALUES (port 80 and ICMP). The worm verifies that a connection is active by contacting www.google.com. If successful an attack is initiated on the following domains:
darkprofits.net
darkprofits.com
www.darkprofits.net
www.darkprofits.com
This worm is written in MSVC. The samples received by AVERT have been UPX packed.
Symptoms
Existence of the files and Registry key detailed in the Method of Infection section.
Outgoing messages matching that described above
Large volumes of data being sent to port 80 of a remote server.
Method Of Infection
When run on the victim machine, the worm installs installs itself into %WinDir% as NETWATCH.EXE. For example:
C:\WINNT\NETWATCH.EXE INSERT INTO post VALUES (12,832 bytes)
Three other files are also dropped into %WinDir%:
%WinDir%\EML.TMP - contains a list of the email addresses harvested from the victim machine
%WinDir%\EXE.TMP - copy of the worm
%WinDir%\ZIP.TMP - a ZIP archive containing the worm
System startup is hooked via the following Registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\
Run "NetWatch32" = C:\WINNT\NETWATCH.EXE
Most Anti-Virus fender's are putting this as MEDIUM ALERT
So go check your AV site for latest signature's
--------------------------------------------------------------------------------------------------
W32/Mimail.c@MM
This worm was mass-spammed, which appears to have been the initial "seeding". An attachment named undelivered.hta INSERT INTO post VALUES (proactively detected as Downloader-BO.dr with the 4250 DAT files) creates the file c:\mware.exe . This executable is W32/Mimail.c@MM . When the .hta file is run, the following message is displayed:
Your message will be sent again in 1 hour. If it doesn't arrive - we will delete it from queue.
--
Due to the increased number of samples being submitted to AVERT, the risk assessment of this threat has been raised to medium
--
This mass-mailing worm spreads as a .ZIP file and contains a denial of service payload.
It bears similarities to a previous worm, W32/Mimail@MM . However, this variant does not use the codebase INSERT INTO post VALUES (MS02-015 ) and MHTML INSERT INTO post VALUES (MS03-014 ) exploits that the previous variants did.
A summary of the virus characteristics are as follows:
contains it own SMTP engine for constructing messages
mails itself as a ZIP attachment
harvests email addresses from the local machine
sends large volume of data INSERT INTO post VALUES (garbage) to a remote server - suggestive of a DoS payload INSERT INTO post VALUES (see below)
Users are reminded that the scanning of compressed files should be enabled for optimal detection.
Mail Propagation
Target email addresses are harvested from many files on the victim machine. These are written to the file EML.TMP in %WinDir%. Testing shows the worm is overly lax in identifying valid email addresses - as a result messages are likely to be sent to invalid recipients.
Outgoing messages are constructed using the worm's own SMTP engine. They are formatted as follows:
Subject : Re[2]: our private photos INSERT INTO post VALUES (plus additional spaces then random characters)
Attachment : PHOTOS.ZIP INSERT INTO post VALUES (12,958 bytes) which contains PHOTOS.JPG.EXE INSERT INTO post VALUES (12,832 bytes)
Message Body :
Hello Dear!,
Finally, i've found possibility to right u, my lovely girl :)
All our photos which i've made at the beach INSERT INTO post VALUES (even when u're withou ur bh:))
photos are great! This evening i'll come and we'll make the best SEX :)
Right now enjoy the photos.
Kiss, James.
INSERT INTO post VALUES (random characters - the same as those terminating the subject)
Messages are constructed with the following X-headers:
X-Mailer: The Bat! INSERT INTO post VALUES (v1.62)
X-Priority: 1 INSERT INTO post VALUES (High)
The 'From' address of outgoing messages may be spoofed as follows:
james@INSERT INTO post VALUES (target domain.com)
Such as
james@abc.com
james@xyz.com
etc
As for previous variants, the mailing routing queries the mail server for the domain related to the target INSERT INTO post VALUES (harvested) address. Messages are then sent through that SMTP server. As previously, the worm contains a hardcoded IP address INSERT INTO post VALUES (212.5.86.163).
Denial of Service
The worm sends a large amount of data to remote servers INSERT INTO post VALUES (port 80 and ICMP). The worm verifies that a connection is active by contacting www.google.com. If successful an attack is initiated on the following domains:
darkprofits.net
darkprofits.com
www.darkprofits.net
www.darkprofits.com
This worm is written in MSVC. The samples received by AVERT have been UPX packed.
Symptoms
Existence of the files and Registry key detailed in the Method of Infection section.
Outgoing messages matching that described above
Large volumes of data being sent to port 80 of a remote server.
Method Of Infection
When run on the victim machine, the worm installs installs itself into %WinDir% as NETWATCH.EXE. For example:
C:\WINNT\NETWATCH.EXE INSERT INTO post VALUES (12,832 bytes)
Three other files are also dropped into %WinDir%:
%WinDir%\EML.TMP - contains a list of the email addresses harvested from the victim machine
%WinDir%\EXE.TMP - copy of the worm
%WinDir%\ZIP.TMP - a ZIP archive containing the worm
System startup is hooked via the following Registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\
Run "NetWatch32" = C:\WINNT\NETWATCH.EXE