Threat Encyclopedia

Subtitle

Virus, spyware, worms and other threat descriptions

Selected viruses, spyware, and other threats: sorted alphabetically

0-9
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
 

Win32/Mimail.L

Win32/Mimail.L is a worm spreading in the form of a file in the attachment of an e-mail. It works in Windows 95 or newer versions of Windows operating system. Its body has a length of 11296 bytes, and it is compressed by UPX utility. After it is decompressed its length is 490 Kb.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The subdirectory System or System32 placed in %windir% has a name %system%.

The worm arrives with the message having object Re[2]. There is a following text in the body of the message.

Hi Greg its Wendy.

I was shocked, when I found out that it wasn't you but your twin brother!!! That's amazing, you're as like as two peas. No one in bed is better than you Greg. I remember, I remember everything very well, that promised you to tell how it was, I'llAgive you a call today after 9.

He took my skirt off, then my panties, then my bra, he sucked my tits, with the same fury you do it. He was writing alphabet on my pussy for 20 minutes, then suddenly stopped, put me in doggy style position and stuck his dagger.But Greg, why didn't you warn me that his dick is 15 inches long???? I was struck, we fucked whole night.

I'm so thankful to you, for acquainted me to your brother. I think we can do it on $0D$0Athe next Saturday all three together? What do you think? O yes, $0D$0Aas you wanted I've made a few pictures check them out in archive, I hope they will excite you, and you will dream of our new meeting...

Wendy.

The message has an attachment named wendy.zip having length of 11446 bytes. There is a file for_greg_with_love.jpg.exe in this attachment. The file for_greg_with_love.jpg.exe is the worm Win32/Mimail.L.
Sometimes the worm sends a message with following text in the body of the message.

Good afternoon, We are going to bill your credit card for amount of $22.95 on a weekly basis. Free pack of child porn CDs is already on the way to your billing address. If you want to cancel membership and your CD pack please email order and credit card details to security@europe.spamhaus.org.
Are you ready for all types of underage porn? We have the best selection for every taste!

Just click the secret links below and have fun:
http://www.spamhaus.org
http://www.spews.org
http://www.register.com
http://www.cardcops.com
http://www.carderplanet.net
http://www.spamcop.net
http://disney.go.com
http://www.authorizenet.com

Nude boys under 16! Nude girls under 16! Incest, a daddy & a daughter! We have everything you have ever dreamed for!

Jej hodnotu nastaví na %windir%/svchost.exe.

After the worm is run it creates its copies named svchost.exe a xu39reu.tmp in the directory %windir%. The length of both files is 11296 bytes. At the same time it creates the file x8wui12s.tmp having length in the very same directory. This file is identical with wendy.zip. It assures the activation of the copy of the worm after restarting the system by creating an item France in the system registry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. It sets its value to %windir%/svchost32.exe.

It acquires addresses for its spreading searching the files downloaded from Internet, and temporary saved on the disk. While doing this it avoids files having following extensions.

bmp
jpg
gif
exe
dll
avi
mpg
mp3
vxd
ocx
psd
tif
zip
rar
pdf
cab
wav
com

Win32/Mimail.L saves the acquired addresses in the file %windir%/xu298da.tmp, and it sends its copies to them.
Win32/Mimail.L tries to perform an DoS (Denial of Service) type of attack focusing on following addresses.

www.spamhaus.org
www.spews.org
www.register.com
www.cardcops.com
www.carderplanet.net
www.spamcop.net
disney.go.com
www.authorizenet.com

There is a following text in the body of the worm.

*** Made in France. ***

NOD32 detected the worm Win32/Mimail.L using extended heuristics without upgrading. The detection using Win32/Mimail.L sample is added from version 1.568.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.