New Worm Steals User Data

New Worm Steals User Data
Mimail variant lifts victim's files, spreads by raiding e-mail address book.

A new Internet worm that steals information from users' computers and tries to shut down two Web sites is spreading, antivirus vendors warn.


The worm, dubbed Mimail.C, is a variant of the W32.Mimail worm that surfaced in August. Antivirus software vendors rate the worm a "medium" level threat, indicating that it is infecting computers and spreading. Among the antivirus vendors weighing in on the threat are Symantec, F-Secure, and Network Associates.

All of the primary antivirus vendors say they have updated their software to protect customers against the newly discovered worm.


Mimail.C's Methods
Mimail.C was discovered Friday, the vendors say in bulletins on their Web sites. It arrives as an e-mail nessage with "our private photos" in the subject line and an attached .zip archive file called "photos.zip."

The sender's address is faked to be "james" at the receiver's domain and the body of the message promises revealing photos of a girl at a beach, the antivirus vendors say.

The worm with its attachment was mass-mailed, which most likely started its propagation, according to an alert from Network Associates.


Opening Activates
Infection starts when the recipient unpacks the "PHOTOS.JPG.EXE" file from the attachment and runs it. The worm will harvest e-mail addresses from the user's PC to mail copies itself to additional recipients. It will also send information captured from applications the user has open to certain e-mail addresses programmed into the malicious code, the antivirus companies say.

The worm will also attempt to launch a denial of service attack on Web sites at darkprofits.com and darkprofits.net, the vendors say. Both sites were unreachable Friday afternoon.

http://www.pcworld.com/news/article/0,aid,113228,00.asp

Also

Sealed with a kiss, new e-mail virus spreading Reuters News Service
SAN FRANCISCO -- A new e-mail virus started spreading to corporate computers Friday and is headed for home computers, but computer security experts said they expect the outbreak to wind down over the weekend.

Antivirus software maker Trend Micro said tens of thousands of its corporate computer users in France and Germany had been hit by the virus, dubbed "Mimail.C".

The e-mail was spreading quickly because it spoofs e-mail addresses in address books, making it appear as if the virus-carrying e-mail comes from a friend or co-worker, said Raimund Genes, European president of Trend Micro.

Trend and Network Associates rated the virus a medium threat, upgrading it from a low-level threat because of the large number of infections being reported within a short time, said Vincent Gullotto, vice president of Network Associates' antivirus response team.

The virus arrives in a compressed file via e-mail with a subject line of "our private photos." The message text says: "All our photos which i've made at the beach ... " and is signed "Kiss, James."

The attack appeared to have been targeting four Web sites with the name "darkprofits," according to Network Associates.


http://www.chron.com/cs/CDA/ssistory...siness/2195542


:eek: Dr_Evil

Kaspersky sends us this:

"General News. Friday, October 31, 2003
******************************************************************

1. New Mimail Worm Promises Exotic Photographs & Harasses E-Gold
2. How to subscribe/unsubscribe
3. Security Rules

****

1. New Mimail Worm Promises Exotic Photographs & Harasses E-Gold

Kaspersky Labs, a leading data security software developer, reports the
detection of Mimail.c - a new modification of the infamous network worm,
Mimail. There have been numerous registered reports of infection from
this malicious program.

Mimail.c is a classic e-mail worm, spreading via email messages
containing the following characteristics:

Sender address: james@recipient's domain

Subject: Re[2]: our private photos

Message body: Hello Dear!, Finally i've found possibility to right u, my
lovely girl :) All our photos which i've made at the beach (even when
u're without ur bh:)) photos are great! This evening i'll come and we'll
make the best SEX :)

Right now enjoy the photos. Kiss, James.

Attachment: photos.jpg.zip

It is interesting to note that the sender address of infected messages
is formed with the domain of the recipient. This tactic makes it harder
to localize the infection epicentre and may give recipients the
impression that the message came from a colleague or acquaintance.

If someone carelessly opens the infected file attachment and launches
Mimial.c, the worm installs itself into the computer and proceeds to
spread through the network.

Mimail.c has the added ability to cause significant damage to those
using the E-Gold payment system. The worm traces the activity of E-Gold
applications installed on infected machines, records from them
confidential data, and send this information out to several anonymous
email addresses owned by the worm's creator.

Additionally, all infected computers are exploited to carry out a
distributed DoS attack on the www.darkprofits.com and
www.darkprofits.net web sites, sending to them an endless cycle of
random data packets."

nice information, thanks for the heads up.

Another new variant of this is out now. W32.Mimail.e and was discovered on 11/1. So far it has only been issued as a low risk from Symantec.

The email is different:

Subject: don't be late! <random characters>

Message Body:

Will meet tonight as we agreed, because on Wednesday I don't think I'll make it,
so don't be late. And yes, by the way here is the file you asked for.
It's all written there. See you.

Attachment: readnow.zip (readnow.doc.scr)

<random characters>


This one does a DoS on different servers:

www.spews.org
www.spamhaus.org
www.spamcop.net

OR

mysupersales.com
www.mysupersales.com

More information, if interested, can be found here from Symantec or here from Trend Micro.


I actually received a copy of this email this morning. My Symantec Corporate Edition did no catch it, but of course I didn't click on anything there. Symantecs Live Updater will not be updated for this until 11/5! but the Intelligent Updater was updated today 11/3 for this.

Mimail variants spreading, target antispam sites
NOVEMBER 03, 2003 ( IDG NEWS SERVICE ) -



New versions of the Mimail e-mail worm are circulating on the Internet, according to alerts issued today from leading antivirus software companies.
The new variants are similar to a version of the worm that appeared last week, Mimail.C, and they contain instructions to launch distributed denial-of-service (DDoS) attacks against a number of antispam and e-commerce Web sites, according to alerts posted by Sophos PLC, Symantec Corp. and others.

The new variations, dubbed Mimail.E, Mimail.F and Mimail.H, all spread using e-mail messages taken from the hard drives of computers the worm infects, Sophos said.

Like other mass-mailing worms, Mimail targets machines running Microsoft Corp.'s Windows operating system and makes changes to the Windows configuration on machines to ensure the worm runs automatically whenever Windows starts, Sophos said.

The worm first appeared in August and tricked users by appearing to come from an administrator from their own Web domain. On Friday, a variant of Mimail, Mimail.C, began to spread and infected machines worldwide (see story).

The new variants have a different subject line and message body than either of the earlier versions of Mimail, according to Sophos. They also expand the list of Web sites targeted for DDos attacks, adding prominent spam blacklist sites such as www.spews.org and www.spamhaus.org to the list of targets, as well as e-commerce sites such as www.mysupersales.com, Sophos said.

While some of the target sites were unreachable today, most continued to operate, partly because of the low infection rate of the new variants, according to Chris Belthoff, a senior security analyst at Sophos. The company first detected the new variants over the weekend, Belthoff said.

Though they are different from the first Mimail worm and the Mimail.C variant, the new Mimail variants are similar to one another, Belthoff said. All are transmitted in an e-mail file attachment named readnow.zip. Users who open the compressed Zip file find the worm program, which they must also click on to decompress and run the program, infecting their computer, he said

The new variants also come in e-mail messages with the same subject line, "don't be late!" and a similar message body that reads in part, "Will meet tonight as we agreed, because on Wednesday I don't think i'll make it, so don't be late."

The new worm versions "don't show a lot of imagination," according to Belthoff. Even without antivirus software, users could filter messages based on the attachment name or subject line and be confident of stopping the new Mimail varieties, he said.

The simple structure of the worm and the seemingly random list of target Web sites may be evidence that the latest Mimail versions are "me too" copies that unsophisticated virus writers spun off from Mimail.C, Belthoff said.

Sophos as well as Symantec posted updated virus definitions for their products to stop the new variants, as well as instructions for removing Mimail from systems that have been infected.


http://www.computerworld.com/securi...1,86803,00.html


W32/Mimail-H

W32/Mimail-F

W32/Mimail-E

W32/Mimail-C

Dr_Evil