Win32.Mimail.D,E,F,H@mm

( W32/Mimail.gen@MM (Mcafee) )

SYMPTOMS:

- Presence of the next files in %WINDOWS% folder:

exe.tmp
zip.tmp
eml.tmp
cnfrm.exe (variants D@mm and E@mm)
sysload32.exe (variant F@mm)
cnfrm33.exe (variant H@mm)

- Presence of any of the next registry keys:

For D@mm and E@mm variants:
[HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\]
contains the value \"Cnfrm32\"=\"%WINDOWS%\\cnfrm.exe\"

For F@mm variant:
[HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\]
contains the value \"SystemLoad32\"=\"%WINDOWS%\\sysload32.exe\"

For H@mm variant:
[HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\]
contains the value \"Cn323\"=\"%WINDOWS%\\cnfrm33.exe\"

where %WINDOWS% points to Windows folder (or WinNT on Windows NT based systems).

TECHNICAL DESCRIPTION:

There are only small differences between the two variants, D and F.
Like their predecessors, versions A and C, these versions also spread via e-mail.

The e-mail format is as follows:

From: john@???????? (??????? means any domain, for example yahoo.com etc)
Subject: don\'t be late! (30 spaces) ???????? (? may be any letter)
Body:
Will meet tonight as we agreed, because on Wednesday I don\'t think I\'ll make it,
so don\'t be late. And yes, by the way here is the file you asked for.
It\'s all written there. See you.
Attachmet: readnow.zip (containing file readnow.doc.scr)

Once run, the virus does the following:

- On Windows 9x/Me systems, hides its presence using RegisterServiceProcess, and thus it cannot be seen in Task Manager.

- copies itself as
cnfrm.exe (D@mm and E@mm variants)
sysload32.exe (F@mm variant)
cnfrm33.exe (H@mm variant)
in %WINDOWS% folder

- creates zip.tmp (copy of readnow.zip) and exe.tmp (copy of readnow.doc.scr) in %WINDOWS% folder

- creates the registry key

variants D@mm and E@mm:
[HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\]
with the value \"Cnfrm32\"=\"%WINDOWS%\\cnfrm.exe\"

variant F@mm:
[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\]
with the value \"SystemLoad32\"=\"%WINDOWS%\\sysload32.exe\"

variant H@mm:
[[HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\]
with the value [\"Cn323\"=\"%WINDOWS%\\cnfrm33.exe\"

- searches for e-mail addresses in files inside Program Files folder and also in files found using the registry list of folders

[HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folder]

and filters out files with extension: com, wav, cab, pdf, rar, zip, tif, psd, ocx, vxd, mp3, mpg, avi, dll, exe, gif, jpg, bmp, and stores harvested e-mail addresses in file %WINDOWS%\\eml.tmp

- uses it\'s own smtp server to send itself; for each e-mail address harvested, it querries the host\'s DNS server for the domain name associated with the harvested e-mail address and attempts to send itself through that domain\'s smtp address or, if it fails, it uses the smtp address 212.5.86.163

- checks if the infected computer is connected to the internet by attempting to access www.google.com

- attempts dos attacks

on (www.)spews.org, (www.)spamhaus.org, (www.)spamcop.net (D@mm variant).

on (www.)fethard.biz, (www.)fethard-finance.com (E@mm variant).

on (www.)mysupersales.com (F@mm variant).

on (www.)spews.org, (www.)spamhaus.org (H@mm variant).

Removal instructions:

Manual removal

Open Task Manager pressing [CTRL]+[ALT]+[DEL] or [CTRL]+[SHIFT]+[ESCAPE] for Win2000/XP
use \"End Process\" on cnfrm.exe or sysload32.exe or cnfrm33.exe
delete the files eml.tmp, exe.tmp, zip.tmp from Windows folder;

open Registry Editor (click Start, Run and enter regedit)
remove any of the keys:

[HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Cnfrm32]
[HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\SystemLoad32]
[HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Cn323]

Automatic removal:
Let BitDefender disinfect/delete files found infected.

ANALYZED BY:

Patrik Vicol
BitDefender Virus Researcher