|
|
|
Top 10 malware reported to Sophos
in December 2003
This section helps you to understand how it behaves:
W32/Mimail-K is a worm which spreads via email using addresses harvested
from the hard drive of the infected computer. All email addresses found on
the computer are saved in a file named eml.tmp in the Windows folder.
In order to run itself automatically when Windows starts up the worm copies
itself to the file sysload32.exe in the Windows folder and adds the
following registry
entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemLoad32
The emails sent by the worm may have the following characteristics:
Subject line : don't be late!<30 spaces><random characters>
Message text : Will meet tonight as we agreed, because on Wednesday I don't
think i'll make it, so don't be late. And yes, by the way here is the file
you asked for. It's all written there. See you.
<random characters>
Attached file : readnow.zip
W32/Mimail-K spoofs the From field of the sent emails using the email
address john@<your domain>
Readnow.zip is a compressed file which contains an executable file named
readnow.doc.scr. The worm also creates a copy of itself named exe.tmp and a
copy of readnow.zip named zip.tmp, both in the Windows folder.
While searching for email addresses in files on the local hard drive W32/Mimail-K
attempts to exclude files that have the following extensions from the
search:
avi
bmp
cab
com
dll
exe
gif
jpg
mp3
mpg
ocx
pdf
psd
rar
tif
vxd
wav
zip
W32/Mimail-K also attempts denial of service attacks targeting:
darkprofits.cc
www.darkprofits.cc
darkprofits.ws
www.darkprofits.ws
|
|
| This web is optimized for 800 x 600 monitor resolution or above and
the latest web browser. Get the latest IE or Netscape web browser. (you
need to connect to the internet first) |
|
|
