Mimail.q: The Return Of A Calculating Email Blackmailer
26 Jan 2004
Kaspersky Lab, a leading information security software developer has detected a new version of the notorious Internet worm Mimail. Mimail.q has a built in encrypted key against anti-virus programs and reports of infections are already coming in. Kaspersky Lab predicts that the outbreak will gain momentum over the next few days and recommends that all users update their anti-virus protection immediately.
Mimail.q spreads via email in messages with varying content (there are about 30 variations) with random attachment names. The worm consists of two components: the dropper (the module which installs the core) and the carrier (the core).
If a user is thoughtless enough to launch the file attached to the infected email, the dropper proceeds to open a window with a fake error message. The dropper copies itself into the Windows registry under the name sys32.exe and registers itself in the system registry auto run key. Finally, the dropper unpacks the main component, a file named outlook.exe and launches it in order to execute it.
The most important modification in Mimail.q are the polymorphic encryption keys inbuilt to fool anti-virus programs. Every time the infected machine is restarted Mimail.q changes the encryption key so that the copies of itself that Mimail sends look different every time. This means that anti-virus programs must have a decryption routine in order to contend with Mimail.q successfully.
The main component of the worm performs several functions at once. Firstly, it sends copies of Mimail.q by scanning the contents of disks and extracting email addresses. Infected messages are then sent to these addresses by using the inbuilt mailing mechanism.
Secondly, the main component opens the infected computer to the creator of the worm using ports 80, 1433, 1434, 3000, and 6667. The worm receives commands via these ports and sends information about the execution of these commands to a variety of public email system addresses.
Thirdly, Mimail.q gathers information about PayPal and E-Gold accounts on the computer in exactly the same way as previous versions of Mimail do, and sends the information needed to access these accounts to the addresses mentioned above.
Finally, the worm's code contains the following text, which is addressed to public email services as a threat if email addresses used by Mimail.q should be closed by the service provider.
*** GLOBAL WARNING: if any free email company or hosting company will close/filter my email/site accounts, it will be DDoS'ed in next version. WARNING: centrum.cz will be DDoS'ed in next versions, coz they have closed my mimail-email account. Who next? ***
Protection against Mimail.q using a decryption routine has already been added to the Kaspersky Anti-Virus databases.
A fuller description about this malicious program can be found in the Kaspersky Virus Encyclopedia