Und3ertak3r
November 2nd, 2003, 11:08 AM
I would recommend also reading the following thread.. Found Here (http://www.antionline.com/showthread.php?s=&threadid=250493)
This Heads up is posted due to the the severity rating being Cat 3..
This information from Symantec found Here (http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.d@mm.html)
Description:
W32.Mimail.D@mm is a variant of W32.Mimail.C@mm that spreads by email. It is packed with UPX.
The email has the following characteristics:
Subject: don't be late! [random string of letters]
Attachment: readnow.zip
Technical details: (part of)
Payload:
Large scale e-mailing: Sends email messages using its own SMTP engine
Causes system instability: Sends data to fethard.biz and fethard-finance.com in an attempt to perform a Denial Of Serivce
Distribution
Subject of email: don't be late! [random string of letters]
Name of attachment: readnow.zip
Size of attachment: 10,912
When W32.Mimail.D@mm is executed, it does the following:
Copies itself as %Windir%\cnfrm.exe.
--------------------------------------------------------------------------------
Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
--------------------------------------------------------------------------------
Adds the value:
"Cnfrm" = "%Windir%\cnfrm.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AKA and Variants
W32/Mimail@mm [McAfee] W32.Mimail.A@mm, W32.Mimail.C@mm
BTW: I think I have unwittingly classified this Worm as Spam on my mail system.. .. and have manualy deleted the crud from the ISP's Server..
This Heads up is posted due to the the severity rating being Cat 3..
This information from Symantec found Here (http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.d@mm.html)
Description:
W32.Mimail.D@mm is a variant of W32.Mimail.C@mm that spreads by email. It is packed with UPX.
The email has the following characteristics:
Subject: don't be late! [random string of letters]
Attachment: readnow.zip
Technical details: (part of)
Payload:
Large scale e-mailing: Sends email messages using its own SMTP engine
Causes system instability: Sends data to fethard.biz and fethard-finance.com in an attempt to perform a Denial Of Serivce
Distribution
Subject of email: don't be late! [random string of letters]
Name of attachment: readnow.zip
Size of attachment: 10,912
When W32.Mimail.D@mm is executed, it does the following:
Copies itself as %Windir%\cnfrm.exe.
--------------------------------------------------------------------------------
Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
--------------------------------------------------------------------------------
Adds the value:
"Cnfrm" = "%Windir%\cnfrm.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AKA and Variants
W32/Mimail@mm [McAfee] W32.Mimail.A@mm, W32.Mimail.C@mm
BTW: I think I have unwittingly classified this Worm as Spam on my mail system.. .. and have manualy deleted the crud from the ISP's Server..