Search:  

 
theme to black backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Security » Security » TrendMicro NewsLetter: WORM_MIMAIL.H
Uniqs:
60		 Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Post a:
Post a:
Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal
Is AWS Weatherbug spyware? »
« Can anyone help?  

Randy Bell
Premium
join:2002-02-24
Santa Clara, CA

TrendMicro NewsLetter: WORM_MIMAIL.H

WORM_MIMAIL.H is a destructive, memory-resident worm that propagates via its own Simple Mail Transfer Protocol (SMTP) engine. It sends email with the following details, and spoofs the sender email address:

From: john@
Subject: don't be late wgfaxaam
Message Body: Will meet tonight as we agreed, because on Wednesday I don’t think I’ll make it,

so don’t be late. And yes, by the way here is the file you asked for. It’s all written there. See you.

wgfwxaax

Attachment: readnow.zip

This worm randomly performs a Denial of Service (DoS) attack against the following Web sites:

www.spamhaus.org
www.spews.org

WORM_MIMAIL.H runs on Windows 95, 98, ME, NT, 2000, and XP.

Upon execution, this memory-resident worm drops a copy of itself as CNFRM33.EXE in the Windows folder. It then creates a registry entry so that its dropped copy executes at every Windows startup.

This worm deletes the following files if they exist:

•ZIP.TMP
•EXE.TMP
•EML.TMP

It then creates a copy of itself in the Windows folder using the file name EXE.TMP. It uses this file to create another .ZIP file named ZIP.TMP, which contains a copy of this worm with the file name READNOW.DOC.SCR. This worm creates ZIP.TMP using a hard-coded ZIP header and by appending data (which is a copy of itself) to the file. The resulting .ZIP archive file contains the worm in an uncompressed format. It registers itself as a service process and is not visible in the task list of Windows 95, 98, and ME.

This worm arrives as an email attachment that is a .ZIP file containing a UPX-compressed Win32 .EXE file. It must be manually extracted and executed by the recipient in order to propagate.

It only obtains addresses from files that do not have the following extensions:

•COM
•WAV
•CAB
•PDF
•RAR
•ZIP
•TIF
•PSD
•OCX
•VXD
•MP3
•MPG
•AVI
•DLL
•EXE
•GIF
•JPG
•BMP

It tries to resolve "www.google.com" host name to check if an Internet connection is present. If it is successful, it executes its payload and propagation routines.

If you would like to scan your computer for WORM_MIMAIL.H or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: »housecall.trendmicro.com

WORM_MIMAIL.H is detected and cleaned by Trend Micro pattern file #674 and above.
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13)
permalink · 2003-11-08 00:15:22 · Print · Reply to this
Forums » Up and Running » Security » SecurityIs AWS Weatherbug spyware? »
« Can anyone help?  

Saturday, 05-Dec 02:11:40 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 10 years online! © 1999-2009 dslreports.com.republican-creole
page compression OFF
Most commented news this week
· [163] Comcast Releasing Promised Usage Meter
· [145] Avast Antivirus Has Gone Mad
· [126] Comcast Makes NBC Universal Acquisition Official
· [104] Graduate Student Unveils Sprint's GPS Sharing With Feds
· [101] Google Invades ISP, OpenDNS Turf With Google Public DNS
· [88] The Bandwidth Hog Does Not Exist
· [83] FCC Ponders Moving From PSTN To IP Voice
· [81] Latest Consumer Reports Survey Not Kind To AT&T
· [74] Sprint Defuses GPS Privacy Media Bomb
· [70] Baltimore To Ban Lazy Cable Installs
Most people now reading
· False positive in Avast! or is it real? [Security]
· Google takes aim at browser redirection [Security]
· Windows 7 boot manager editing questions [Microsoft Help]
· 3.x Feral Druid - Bear Tanking Guide [World of Warcraft]
· Evading throttling with uTP / uTorrent 1.9a [TekSavvy]
· What to use while demonoid is down? [Filesharing Software]
· [Snow Leopard] NFS Mounts - no more Directory Utility [All Things Macintosh]
· DNS options, what are YOU using? [TekSavvy]
· ToC 4th boss - Preliminary Strategy for Twin Valkyr [World of Warcraft]
· Connecting to Google Voice Via SIP [VOIP Tech Chat]