Mimail
Mimail
Type Mass mailer worm
Creator
Date Discovered 2003.08.01
Place of Origin Russia
Source Language C++
Platform MS Windows
File Type(s) .htm, .exe, .zip
Infection Length
Reported Costs $11.5 billion

Mimail is an email worm that steals passwords and was reported to have caused billions of dollars in damage.

Table of Contents

Behavior

The worm arrives as an email that appears to be from the administrator of the user's domain. If your mail address is kiki_the_black_cat@kitty.cc, the sender line will read admin@kitty.cc. The subject line is "your account" followed by a random string of numbers and letters. The message body informs the user that there is important information about their email account in the attached zip file, Message.zip.

Message.zip contains an htm file, Message.htm, which once opened in unpatched versions of Internet Explorer, creates the file Foo.exe in the temporary internet files folder. Foo.exe is actually the Mimail worm. While Foo.exe is running, the browser shows a black field with red text saying "Please wait loading message…..". Mimail copies itself to the Windows folder as Videodrv.exe. The worm adds the value "VideoDriver = (Windows directory)\videodrv.exe" Local Machine registry key that runs programs on startup It creates another registry key with the value "{11111111-1111-1111-1111-111111111111}".

The worm will capture text from some windows and send the information to a specific email address.

The worm then saves three files to the Windows directory, one, Zip.tmp, a temporary copy of the attachment, Message.zip, a copy of Message.html and eml.tmp, where it will store the email addresses it finds.

Mimail collects email addresses from local files and writes them to the file Windir\eml.tmp. The email addresses will be collected from files with the following extensions:

Mimailload.gif
Mimail "loading"
  • .bmp
  • .jpg
  • .gif
  • .exe
  • .dll
  • .avi
  • .mpg
  • .mp3
  • .vxd
  • .ocx
  • .psd
  • .tif
  • .zip
  • .rar
  • .pdf
  • .cab
  • .wav
  • .com

The worm has its own Zip file format for creating the Zip file and has its own SMTP engine to send infected files. It also has its own smtp engine to send copies of itself.

Sources

Atli Gudmundsson, Scott Geddis, Symantec.com, W32.Mimail.A@mm

F-Secure Computer Virus Information Pages, Mimail.A

Dr. Sureswaran Ramadass, Dr. Rahmat Budiarto, Mr. Ahmad Manasrah, Mr. M.F. Pasha. jEnterprise Suite For Network Monitoring and Security. (Power Point)

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License