|
|
|
Top 10 malware reported to Sophos in November 2003
This section is for technical experts who want to know more.
W32/Mimail-C is a worm that spreads via email using adresses harvested from
the hard drive of the infected computer. All email addresses found on the
computer are saved in a file eml.tmp in the Windows folder.
In order to run automatically when Windows starts up W32/Mimail-C copies
itself to the file netwatch.exe in the Windows folder and adds the following
registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NetWatch32
The emails sent by the worm have the following characteristics:
Subject line: Re[2]: our private photos <random letters>
Message text:
Hello Dear!
Finaly i've found possibility to right u, my lovely girl :)
All our photos which i've made at the beach (even when u're without ur bh:))
photos are great! This evening i'll come and we'll make the best SEX :)
Right now enjoy the photos.
Kiss, James.
Attached file: photos.zip
W32/Mimail-C spoofs the From field of the sent emails using the email
address james@<your domain>.
Photos.zip is a compressed file which contains an executable file named
photos.jpg.exe.
While searching for email addresses in files on the local hard drive W32/Mimail-C
attempts to exclude the following extensions from the search:
AVI
BMP
CAB
COM
DLL
EXE
GIF
JPG
MP3
MPG
OCX
PDF
PSD
RAR
TIF
VXD
WAV
ZIP
W32/Mimail-C can launch a denial of service attack against the websites
www.darkprofits.com and www.darkprofits.net
|
|
| This web is optimized for 800 x 600 monitor resolution or above and
the latest web browser. Get the latest IE or Netscape web browser. (you
need to connect to the internet first) |
|
|
