STORM2K

E-Mail Virus Hits Corporate Users, Heads for Homes

SAN FRANCISCO (Reuters) - A new e-mail virus started spreading to corporate computers on Friday and is headed for home computers, but computer security experts said they expect the outbreak to wind down over the weekend.
Anti-virus software maker Trend Micro said tens of thousands of its corporate computer users in France and Germany had been hit by the virus, dubbed "Mimail.C."

The e-mail was spreading quickly because it spoofs e-mail addresses in a computer address book, making it appear as if the virus-carrying e-mail comes from a friend or co-worker, said Raimund Genes, European president of Trend Micro.

Trend and Network Associates Inc. rated the virus a "medium" threat, upgrading it from a low-level threat because of the large number of infections being reported within a short time, according to Vincent Gullotto, vice president of Network Associates' anti-virus response team.

The virus arrives in a zip, or compressed file, in an e-mail with a subject line of "our private photos." The text in the body of the message says: "All our photos which i've made at the beach...." and is signed "Kiss, James."

When the recipient opens the zip file and then the executable file inside that, the virus harvests e-mail addresses from the computer to spread itself further, Gullotto said.

It also sends an unknown type of data to a remote server in what appears to be an attempt to cripple the server in a "denial of service" attack, he said. In such an attack, a remote attacker instructs compromised computers to overload a Web site and take it down temporarily.

The attack appeared to have been targeting four Web sites with the name "darkprofits," according to Network Associates.

<B>More Info</B>

W32.Mimail.C@mm is a variant of W32.Mimail.A@mm that spreads by email and steals information from infected computers.

The email has the following characteristics:

Subject: Re[2]: our private photos [random string of letters]
Attachment: photos.zip

Symantec Security Response has developed a removal tool to clean the infections of W32.Mimail.C@mm.


Also Known As: W32/Mimail.c@mm [McAfee], Worm_Mimail.C [Trend], W32/Mimail-C [Sophos], Mimail.C [AVP]
Variants: W32.Mimail.A@mm
Type: Worm
Infection Length: 12,832 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected: Linux, Macintosh, Microsoft IIS, OS/2, UNIX

THREAT ASSESSMENT

Wild:

Number of infections: 50 - 999
Number of sites: More than 10
Geographical distribution: Medium
Threat containment: Easy
Removal: Easy

Damage

Payload:

Large scale e-mailing: Sends email messages using its own SMTP engine
Causes system instability: sends data to the darkprofits domains in an attempt to perform a Denial Of Serivce.
Releases confidential info: Captures text from specific windows and sends the data to predetermined email addresses

Distribution

Subject of email: Re[2]: our private photos [random string of letters]
Name of attachment: photos.zip

TECHNICAL DETAILS

When W32.Mimail.C@mm is executed, it does the following:

1. Copies itself as %Windir%\Netwatch.exe.(Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.)

2. Adds the value:

"NetWatch32" = "%Windir%\netwatch.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

3. Collects email address from all the files on the computer, except those with the extensions:

com
wav
cab
pdf
rar
zip
tif
psd
ocx
vxd
mp3
mpg
avi
dll
exe
gif
jpg
bmp

4. Writes all the email addresses to the file, %Windir%\eml.tmp.


5. Checks to see whether there is a valid Internet connection by attempting to connect to http://www.google.com.


6. Captures text from specific windows and sends the data to predetermined email addresses.


7. Sends email messages using its own SMTP engine. For each email address the worm gathers, it will:

Look up the Mail Exchange (MX) record for the domain name using the DNS server of the current host. If a DNS server is not found, it will default to 212.5.86.163.
Acquire the mail server associated with that particular domain.
Directly contact the destination server.

The email has the following characteristics:

From: james@<current domain> (The from address may be spoofed to appear that it is coming from the current domain)

Subject: Re[2]: our private photos [random sequence of letters]

Message:
Hello Dear!,

Finally i've found possibility to right u, my lovely girl
All our photos which i've made at the beach (even when u're without ur bh:))
photos are great! This evening i'll come and we'll make the best SEX
Right now enjoy the photos.

Kiss, James.
[random sequence of letters]

Attachment: photos.zip

Note: Photos.zip contains only one file, photos.jpg.exe.

8. Perform a Denial of Service (DoS) with the following characteristics:

Randomly selects a site from the names below:

1. darkprofits.net
2. http://www.darkprofits.net
3. darkprofits.com
4. http://www.darkprofits.com

DoS routine is designed to have 15 attacking threads active at any moment.
Each thread performs one TCP connection or an ICMP attack, then sleeps for 5 seconds.
Randomly chooses to perform a TCP connection on port 80 or an ICMP attack.
The packets sent to the victim carry a 2k payload filled with random data.
Uses a random ICMP type when performing the ICMP attack.
The data sent is either the GET request or some random data when performing the HTTP connection.

9. Creates two additional files in the %Windir% folder:

Zip.tmp: a temporary copy of message.zip (12,958 bytes).
Exe.tmp: a temporary copy of message.html (12,832 bytes).

Last night, I dowloaded the definition in my Norton Virus Scan...running fine here!

Thanks for the notice!!!!!