Search:  

 
theme to white backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Security » Security » TrendMicro NewsLetter: WORM_MIMAIL.H
Search Topic:
Uniqs:
59		 Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Post a:
Post a:
Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal
Is AWS Weatherbug spyware? »
« Can anyone help?  
AuthorAll Replies


Randy Bell
Premium
join:2002-02-24
Santa Clara, CA

TrendMicro NewsLetter: WORM_MIMAIL.H

WORM_MIMAIL.H is a destructive, memory-resident worm that propagates via its own Simple Mail Transfer Protocol (SMTP) engine. It sends email with the following details, and spoofs the sender email address:

From: john@
Subject: don't be late wgfaxaam
Message Body: Will meet tonight as we agreed, because on Wednesday I don’t think I’ll make it,

so don’t be late. And yes, by the way here is the file you asked for. It’s all written there. See you.

wgfwxaax

Attachment: readnow.zip

This worm randomly performs a Denial of Service (DoS) attack against the following Web sites:

www.spamhaus.org
www.spews.org

WORM_MIMAIL.H runs on Windows 95, 98, ME, NT, 2000, and XP.

Upon execution, this memory-resident worm drops a copy of itself as CNFRM33.EXE in the Windows folder. It then creates a registry entry so that its dropped copy executes at every Windows startup.

This worm deletes the following files if they exist:

•ZIP.TMP
•EXE.TMP
•EML.TMP

It then creates a copy of itself in the Windows folder using the file name EXE.TMP. It uses this file to create another .ZIP file named ZIP.TMP, which contains a copy of this worm with the file name READNOW.DOC.SCR. This worm creates ZIP.TMP using a hard-coded ZIP header and by appending data (which is a copy of itself) to the file. The resulting .ZIP archive file contains the worm in an uncompressed format. It registers itself as a service process and is not visible in the task list of Windows 95, 98, and ME.

This worm arrives as an email attachment that is a .ZIP file containing a UPX-compressed Win32 .EXE file. It must be manually extracted and executed by the recipient in order to propagate.

It only obtains addresses from files that do not have the following extensions:

•COM
•WAV
•CAB
•PDF
•RAR
•ZIP
•TIF
•PSD
•OCX
•VXD
•MP3
•MPG
•AVI
•DLL
•EXE
•GIF
•JPG
•BMP

It tries to resolve "www.google.com" host name to check if an Internet connection is present. If it is successful, it executes its payload and propagation routines.

If you would like to scan your computer for WORM_MIMAIL.H or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: »housecall.trendmicro.com

WORM_MIMAIL.H is detected and cleaned by Trend Micro pattern file #674 and above.
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13)
to forum · permalink · · 2003-11-08 00:15:22 · Reply to this
Forums » Up and Running » Security » SecurityIs AWS Weatherbug spyware? »
« Can anyone help?  

Tuesday, 01-Dec 02:29:39 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 10 years online! © 1999-2009 dslreports.com.republican-creole
page compression OFF
Most commented news this week
· [57] Baltimore To Ban Lazy Cable Installs
· [47] Broadband Killed The Game Console
· [33] Rural Carriers Quickly Embracing Fiber
· [28] AT&T Top Lobbyist Cicconi Has His Feelings Hurt
· [24] Charter Exits Chapter 11
· [21] Midcontinent Socked With Easement Lawsuit
· [3] Monday Morning Links
· [2] Monday Evening Links
Most people now reading
· Considering Leaving Vonage, who should I Consider? [VOIP Tech Chat]
· Connecting to Google Voice Via SIP [VOIP Tech Chat]
· Is Microsoft Technet ok to use for my family PC's? [Microsoft Help]
· Windows 7 boot manager editing questions [Microsoft Help]
· persistent connection to qw-in-f113.1e100.net on boot [Security]
· [WIN7] Outlook express under Windows 7? [Microsoft Help]
· Callcentric and 3-way calling [VOIP Tech Chat]
· Download speeds very slow. [AT&T West]
· Opening a file download dialog from a JavaScript function. [Webmasters and Developers]
· 3.x Feral Druid - Bear Tanking Guide [World of Warcraft]