|
MiMail
Worms
The Download.Mimail.B
Worm
A new version of the Mimail worm, Download.Mimail.B, has
been spreading on the Internet. This variant sends email messages
with the following subject:
PAYPAL.COM NEW YEAR OFFER
Each message reads as follows:
We here at PayPal.com are pleased to announce that we have
a special New Year offer for you! If you currently have
an account with PayPal then you will be eligible to receive
a terrific prize from PayPal.com for the New Year. For a
limited time only PayPal is offering to add 10 percent of
the total balance in your PayPal account to your account
and all you have to do is register yourself within the next
five business days with our application (see attachment)!
Two attachments are included, the first of which is a compressed
Zip file, the second of which, if opened, copies the worm
code to %systemroot%\Winmgr32.exe
and %systemroot%\ee98af.tmp,
in addition to a zipped version copied to %systemroot%\Zipzip.tmp.
This worm also creates C:\index.hta
and C:\index2.hta
as Web dialog files, and C:\Tmpny3.txt
as a temporary file for data gleaned from the dialog boxes
it creates. Download.Mimail.B then adds the value “WinMgr32"
= " %Windir%\winmgr32.exe" to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
(the “Run key”) in the infected system’s
Registry, ensuring that the worm will run whenever the system
is booted. Next it attempts to determine if the infected system
is connected to the Internet and then gleans email addresses
from certain files. It installs a Trojan horse that makes
a connection to a Web site and attempts to download and execute
a program to C:\mm.exe.
It creates a mail engine that generates and sends email messages
to other addresses (in an attempt to infect other systems).
It also activates port 5555 on the infected system. Finally
(and perhaps most significantly) Download.Mimail.B attempts
to glean information such as Internet account names, dial-in
user information, IP addresses, email contacts, and personal
and financial information such as social security and credit
card numbers. Avoid falling for Download.Mimail.B’s
ploy! Avoid opening attachments that you are not expecting,
and never enter personal and/or financial information in response
to an email message that you receive. If this worm infects
your system, go here
for clean-up procedures. If you have entered personal and/or
financial information in any of the dialog boxes that this
worm displays, you’ll also need to promptly report this
to your bank and credit card companies.
Top
MiMail Worm—Variants
A through I
The MiMail worm is actually a family of mass-mailing worms
that target Windows systems. All variants arrive as an email
message with a certain subject. For example, messages from
the Mimail.A variant have the subject, "Your account"
(with a bogus message that notifies recipients that their
email accounts will soon expire). Messages from Mimail.C have
the subject "Our private photos," and messages from
Mimail.D have the subject "Don't be late" (with
a random string of letters appended). If the recipient opens
the attachment sent with the message, MiMail infects the system
by copying itself to the system's hard drive. It also inserts
a value in the infected system's registry, enabling the worm
code to start every time the infected system boots. Different
variants of this worm are programmed to produce additional
effects. For example, Mimail.A exploits a buffer overflow
vulnerability in the Windows Internet Explorer to execute
unauthorized instructions on systems it infects, creating
a mail engine to transmit itself to addresses it has gleaned
from infected systems so that it can infect other systems.
It also captures text from windows within infected systems,
and then sends whatever it finds to several Internet addresses,
potentially compromising sensitive information. Mimail.E also
sends email messages using a mail engine that it creates,
but also attempts to launch a denial-of-service attack against
certain Internet sites.
Although MiMail variants A through I make several changes
to systems that they infect, cleaning up systems that have
been infected by MiMail is not terribly difficult. If your
system becomes infected by one of the variants of this worm,
go here
to download and run Symantec's
Mimail Removal Tool.
Cleaning up an infected system does not, however, remove
all the consequences of a Mimail infection. Personal and other
sensitive information from your computer has been transferred
to other systems controlled by the author of this worm.
Top
The Mimail.J Worm
The Mimail.J worm is another variant of the Mimail worm family,
but it is almost certainly the one that causes the most trouble.
It arrives in an email message in which the apparent sender
is "Do_Not_Reply@paypal.com," and the subject is
"IMPORTANT." The message reads as follows:
Dear PayPal member,
We regret to inform you that your account is about to be
expired in next five business days. To avoid suspension
of your account you have to reactivate it by providing us
with your personal information. To update your personal
profile and continue using PayPal services you have to run
the attached application to this email. Just run it and
follow the instructions. IMPORTANT! If you ignore this alert,
your account will be suspended in next five business days
and you will not be able to use PayPal anymore. Thank you
for using PayPal.
The attachment is named www.paypal.com.pif or InfoUpdate.exe.
If any user opens this attachment on a vulnerable Windows
system, Mimail.J infects the system by copying itself into
%systemroot%\svchost32.exe
and %systemroot%\ee98af.tmp
(where %systemroot%
is the installation directory, regardless of its particular
name). Mimail.J then adds SvcHost32"="%systemroot%\svchost32.exe
to the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
key of the registry of the infected system. This starts the
worm code whenever the infected system boots. Next, Mimail.J
displays a fake form (a .hta file) in which the user is instructed
to enter personal information, such as one's social security
number, mother's maiden name, and driver license number. The
information entered by unsuspecting users is entered in a
file with a path of C:\ppinfo.sys.
Mimail.J then checks whether this file exists,
indicating that the fake form has been completed, and then
determines whether it can resolve a hostname, www.akamai.com.
If it can, Mimail.J sends the contents of ppinfo.sys to several
addresses, thereby exposing personal information that can
result in identity theft and other undesirable outcomes. But
Mimail is not done yet. It then looks for email addresses
in any Internet files that are cached, saves them in %systemroot%\el388.tmp,
and then sends the same message that the user of the infected
system received to each address.
A removal tool that eradicates Mimail.J (and other variants
of this worm) is available here.
More importantly, however, if you have been duped by this
worm, you need to take appropriate measures to combat the
possible financial loss and damage to your credit rating that
misuse of the information you entered is likely to cause!
Top
The MiMail.L Worm
Mimail.L@mm, yet another variant of the Mimail worm family,
sends itself via email and steals personal information from
Windows systems it has infected. The subject of messages that
MiMail.L sends is "We are going to bill your credit card,"
and the attachment is named "wendy.zip." When an
unwise user opens the attachment, Mimail.L writes itself to
%systemroot%\Svchost.exe, where %systemroot% is the system
installation folder. It then adds the value "France"
= "%Windir%\svchost.exe" to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
key in the registry, enabling it to start every time the infected
system boots. It finds email addresses from a variety of files
in the infected system, writes these addresses to %systemroot%\Xu298da.tmp,
and then mails copies of itself to these addresses. Mimail.L
also records text in windows that are open in the infected
system and sends it to several Internet addresses.
MiMail.L also generates messages falsely informing users
that they will be billed $22.95 for CDs that they
have allegedly ordered, but that they can cancel their CD
orders by sending information (including their credit card
numbers) to security@europe.spamhaus.org. Anyone who sends
this kind of information becomes highly vulnerable to identity
theft! If you receive this message, ignore it. Whatever you
do, don't forward it to anyone else.
Some versions of this worm encrypt the attachment that Mimail
generates and send the password needed to decrypt it with
the attachment. If this version arrives, it is extremely important
that you do not decrypt the attachment. If you do, you will
infect your system. Still another version informs users that
they will be billed $22.95 for CDs that they have
allegedly ordered and that they can cancel their CD orders
by sending information (including credit card numbers) to
security@europe.spamhaus.org. Don't fall victim to this ploy.
Sending this kind of information makes you vulnerable to identity
theft! No matter which message and attachment you receive,
just delete the message. Don't open the attachment, and don't
forward the message to anyone else. Be sure to keep your system's
antivirus software up to date, too. If Mimail.L should infect
your system, download and run Symantec's
MiMail.L clean-up tool.
Top
|
