New Mimail Worm Promises Exotic Photographs & Harasses E-Gold

31 Oct 2003
Virus News


Kaspersky Lab, a leading data security software developer, reports the detection of Mimail.c - a new modification of the infamous network worm, Mimail. There have been numerous registered reports of infection from this malicious program. Mimail.c is a classic e-mail worm, spreading via email messages containing the following characteristics: Sender address:
james@recipient's domain
Subject:
Re[2]: our private photos
Message body:
Hello Dear!,
Finally i've found possibility to right u, my lovely girl :)
All our photos which i've made at the beach (even when u're without ur bh:))
photos are great! This evening i'll come and we'll make the best SEX :)
Right now enjoy the photos.
Kiss, James.
Attachment:
photos.jpg.zip
It is interesting to note that the sender address of infected messages is formed with the domain of the recipient. This tactic makes it harder to localize the infection epicentre and may give recipients the impression that the message came from a colleague or acquaintance. If someone carelessly opens the infected file attachment and launches Mimial.c, the worm installs itself into the computer and proceeds to spread through the network. Firstly, Mimail.c copies itself to the Windows directory under the name, netwatch.exe, then registers this file in the auto-run key in the system registry, and creates several additional helper files. To create one of these files, the Mimail worm uses a built-in ZIP archiving procedure. To mail itself out, Mimail.c uses another built-in function, a procedure to spread itself via e-mail using SMTP protocol. The worm scans files in the Shell Folders and Program Files catalogues and takes from them text strings likely to be e-mail addresses. Next, unbeknownst to the victim, Mimail.c mails itself out to the found email addresses. Mimail.c has the added ability to cause significant damage to those using the E-Gold payment system. The worm traces the activity of E-Gold applications installed on infected machines, records confidential data from them, and sends this information out to several anonymous email addresses owned by the worm's creator. Additionally, all infected computers are exploited to carry out distributed DoS attacks on the www.darkprofits.com and www.darkprofits.net web sites by sending them an endless cycle of random data packets. The defence against Mimail.c has already been added to the Kaspersky Anti-Virus database. More details about this malicious program can be found in the Kaspersky Virus Encyclopedia.