Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Mimail.J

Win32/Mimail.J a worm spreading in the form of a file in the attachment of an e-mail. It works in Windows 95 or newer versions of Windows operating system. Its body has a length of 13856 bytes, and it is compressed by UPX utility. After it is decompressed its length is 500 Kb.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The subdirectory System or System32 placed in %windir% has a name %system%.

The worm arrives with the message seemingly sent from Do_Not_Reply@paypal.com. The subject of the message is the word IMPORTANT. There is a following text in the body of the message.

Dear PayPal member,

We regret to inform you that your account is about to be expired in next five business days. To avoid suspension of your account you have to reactivate it by providing us with your personal information.

To update your personal profile and continue using PayPal services you have to run the attached application to this email. Just run it and follow the instructions.

IMPORTANT! If you ignore this alert, your account will be suspended in next five business days and you will not be able to use PayPal anymore.

Thank you for using PayPal.

The attachment of the message is a file www.paypal.com.pif containing the worm.

After the worm is run it creates its copies named svchost32.exe and ee98af.tmp in the directory %windir%. The length of both files is 13856 bytes. It assures the activation of the copy of the worm after restarting the system by creating an item SvcHost32 in the system registry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. It sets its value to %windir%/svchost32.exe. In addition to that creates Win32/Mimail.J three files in the root directory of C: as follows: pp.gif, pp.hta and index2.hta having lengths of 902 bytes, 3534 bytes and 7588 bytes, respectively. The worm uses these files in order acquiring credit card related data.

Win32/Mimail.J displays file pp.hta opening the following window.

After completing the form and clicking the button Next the file index2.hta is displayed opening the following window.

After completing the form and clicking the button Next the acquired information is saved in the file C:\ppinfo.sys. Win32/Mimail.J then tries sending acquired data to predefined e-mail addresses (basperskb@mail15.com, bkasperskb@mail15.com, xdmiw@kaspersky.cjb.net).

It acquires addresses for its spreading searching the files downloaded from Internet, and temporary saved on the disk. While doing this it avoids files having following extensions.

bmp
jpg
gif
exe
dll
avi
mpg
mp3
vxd
ocx
psd
tif
zip
rar
pdf
cab
wav
com

Win32/Mimail.J saves the acquired addresses in the file %windir%/el288.tmp, and it sends its copies to them.

NOD32 detected Win32/Mimail.J using extended heuristics without upgrading. The detection of Win32/Mimail.J using sample is added from the version 1.558.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.