I-Worm.Mimail.i
Mimail.i spreads through the Internet in the infected file attachment paypal.asp.scr. The Mimial.i worm is a Windows application file (PE EXE file) that is about 12 KB in size and compressed by UPX. The uncompressed size is about 30KB.
Infected email messages include the following content:
Sender address:
donotreply@paypal.com
Subject:
YOUR PAYPAL.COM ACCOUNT EXPIRES
Body Text:
Dear PayPal member,
PayPal would like to inform you about some
important information regarding your PayPal account. This account, which
is associated with this email address will be expiring within five business
days. We apologize for any inconvenience that this may cause, but this
is occurring because all of our customers are required to update their
account settings with their personal information.
We are taking these actions because we are
implementing a new security policy on our website to insure everyone's
absolute privacy. To avoid any interruption in PayPal services then you
will need to run the application that we have sent with this email (see
attachment) and follow the instructions. Please do not send your personal
information through email, as it will not be as secure.
IMPORTANT! If you do not update your information
with our secure application within the next five business days then we
will be forced to deactivate your account and you will not be able to use
your PayPal account any longer. It is strongly recommended that you take
a few minutes out of your busy day and complete this now.
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This
mail is sent by an automated message system and the reply will not be received.
Thank you for using PayPal.
Attachement:
donotreply@paypal.com
The Mimail.i worm only gains control if a victim opens the file attachment.
Behaviour
Upon being launched the Mimail.i worm displays a dialogue window
asking the computer user to supply PayPal credit card data. Any data entered
is then kept in the file named ppinfo.sys, which is then sent to the evildoer
behind the worm (the worm's author).
Mimail.i then copies itself into the Windows catalogue under the
name svchost32.exe and registers itself in the system registry auto-run
key with the following entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SvcHost32 = %windir%\svchost32.exe
Mimail.i creates two files in the C:\ root directory - pp.gif and pp.hta. These files are used to display the dialogue window requesting PayPal credit card information.
The worm creates the following files in the Windows directory:
zp3891.tmp
ee98af.tmp
el388.tmp
Spreading
To mail out infected messages (of itself), Mimail.c uses its own
SMTP engine. To detect email addresses to target, the worm searches for
address strings contained in files located in the Shell Folders and Program
Files directories.
We thank you ALL for your kind votes which made this site FIRST in two categories.
A 10 vote = Very Good
A 1 vote = Waste of cyber Space !
ALL those sending emails of thanks are kindly requested to indicate whether these are for publication.
IMPORTANT NOTICE:
ALL those who are receiving this advise
and in the "name" field they find 'FAILED' and a 6 or 8 digit figure
after it, should be advised that at least once, emails to that address
have been received back by us. As the list of subscribers now exceeds 100,000, and since this
is a free service, we kindly urge you to become a registered
subscriber to this service and ensure delivery by subscribing under
a reliable email address. WE REGRET THAT AS AFTER THIS ISSUE,
ALL ADDRESSES THAT ARE NOT DELIVERABLE WILL BE REMOVED FROM THE LIST.
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty
of any kind. In no event shall we be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business profits
or special damages.
PLEASE ADVISE ALL YOUR FRIENDS ON YOUR LIST
PLEASE ALSO NOTE THE FOLLOWING:
1) You are currently SUBSCRIBED to our mailing list
2) If you are receiving more than one copy of this warning please click here
3) If you DO NOT wish to receive anymore of these alerts, please click here
4) YOUR friends are also welcome to be on the VIRUS ALERT but an email has to be
sent to the Webmaster by themselves so that a record of all requests can be kept in case
somebody cries "SPAM" ! Simply click here
and send the email as it appears.
5) THIS IS A FREE SERVICE RUN IN THE PUBLIC INTEREST BY
6) ALSO PLEASE BE ADVISED THAT YOUR EMAIL WILL
NEVER BE SOLD, EXCHANGED OR IN ANYWAY WHATSOEVER DISCLOSED TO ANYBODY ELSE.
******
Fabian Brincat
Webmaster
Fabian Enterprises Ltd.
SEE PREVIOUS VIRUS ALERT
RETURN TO VIRUS ALERT MAIN INDEX
©ALL MATERIAL IS PROTECTED BY COPYRIGHT LAWS AND MAY NOT BE REPRODUCED IN ANY FORM WHATSOEVER WITHOUT THE PRIOR WRITTEN CONSENT OF THE WEBMASTER.
141103/090904
