Threat Descriptions

Email-Worm:W32/Mimail.I

Classification

Category :

Malware

Type :

Email-Worm

Platform :

W32

Aliases :

Email-Worm.Win32.Mimail.i

Summary

This type of worm is embedded in an email attachment, and spreads using the infected computer's emailing networks.

Removal

Manual disinfection of an Mimail.I infected computer consists of the following steps:

  • [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SvcHost32]

2. Restart the computer

3. Delete '%WinDir%\svchost32.exe' (where %WinDir% is the Windows Directory, typically c:\windows\ or c:\winnt)

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Email-Worm:W32/Mimail.I is a worm that propagates in infected email attachments. Mimail.I also has a payload: it uses a fake web that appears to be a legitimate enquiry from Paypal, in order to steal credit card information.

F-Secure has received reports of emails containing the Mimail.I worm that use the attachment name: 'paypal.asp.scr'. As the worm is coded to send emails with the attachment name 'www.paypal.com.scr', it is likely that these new messages were hand-crafted.

Mimail.I was found on November 14th, 2003.

Infection

Mimail.I arrives in email that looks as follows:

If the user runs the attachment, Mimail.I copies itself to the Windows Directory as:

  • svchost32.exe

This copy is added to the registry as:

  • [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SvcHost32]

The worm also drops a fake web form to:

  • c:\pp.hta
  • c:\pp.gif

Propagation

Mimail.I uses its own SMTP engine it sends emails with the malicious attachment.

The worm collects email addresses from files on the infected computer. It recursively searches through the user's document folders and looks into all the files whose extension is not on the following list

  • "bmp"
  • "jpg"
  • "gif"
  • "exe"
  • "dll"
  • "avi"
  • "mpg"
  • "mp3"
  • "vxd"
  • "ocx"
  • "psd"
  • "tif"
  • "zip"
  • "rar"
  • "pdf"
  • "cab"
  • "wav"
  • "com"

To find the SMTP server of the target email address, the worm does an MX lookup using a predefined public DNS server.

The emails used by Mimail.I to distribute its infected attachment has the following characteristics:

  • From: "PayPal.com" donotreply@paypal.com
  • Subject: YOUR PAYPAL.COM ACCOUNT EXPIRES
  • Attachment: www.paypal.com.scr
  • Body text:
 Dear PayPal member,
PayPal would like to inform you about some important information
 regarding your PayPal account. This account, which is associated
 with this email address recipient@somewhere
will be expiring within five business
 days. We apologize for any inconvenience that this may cause,
 but this is occurring because all of our customers are required
 to update their account settings with their personal information.
We are taking these actions because we are implementing a new
 security policy on our website to insure everyone's absolute
 privacy. To avoid any interruption in PayPal services then you
 will need to run the application that we have sent with this
 email (see attachment) and follow the instructions. Please do
 not send your personal information through email, as it will not
 be as secure.
IMPORTANT! If you do not update your information with our secure
 application within the next five business days then we will be
 forced to deactivate your account and you will not be able to
 use your PayPal account any longer. It is strongly recommended
 that you take a few minutes out of your busy day and complete
 this now.
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This mail is sent by an
 automated message system and the reply will not be received.
Thank you for using PayPal.

Payload

On executing the worm, a fake web form that appears to be from Paypal is displayed. This is a Social Engineering trick used by the worm to deceive users into entering their credit card information into the form.

Once entered, the credit card information from the form is collected to a file, 'c:\ppinfo.sys' which is later mailed to certain email addresses.