Sophos

W32/Mimail-L

Category
Type
What to do
Prevalence low high

Summary

 
Protection available since 2 December 2003 04:27:17 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

Please follow the instructions for removing worms.

Delete the files xu298da.tmp, xu39reu.tmp and x8wui12s.tmp in the Windows folder if they exist.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\France

and delete it if it exists.

Close the registry editor.

More Information

W32/Mimail-L is a worm which spreads via email using addresses harvested from the hard drive of the infected computer. All email addresses found on the computer are saved in a file named xu298da.tmp in the Windows folder.

In order to run itself automatically when Windows starts up the worm copies itself to the file svchost.exe in the Windows folder and adds the following registry entry to point to it:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\France

Hidden inside the virus is the following text which does not get displayed:

*** Made in France. *** virmakers

Explicit language used in emails sent by the worm may offend some customers. The emails sent by the worm have the following characteristics:

Subject line: Re[2]
Message text:

Hi Greg its Wendy.

I was shocked, when I found out that it wasn't you but your twin brother!!! That's amazing, you're as like as two peas. No one in bed is better than you Greg. I remember, I remember everything very well, that promised you to tell how it was, I'll give you a call today after 9.

He took my skirt off, then my panties, then my bra, he sucked my tits, with the same fury you do it. He was writing alphabet on my pussy for 20 minutes, then suddenly stopped, put me in doggy style position and stuck his dagger.But Greg, why didn't you warn me that his dick is 15 inches long???? I was struck, we fucked whole night.

I'h,'m so thankful to you, for acquainted me to your brother. I think we can do it on the next Saturday all three together? What do you think? O yes, as you wanted I've made a few pictures check them out in archive, I hope they will excite you, and you will dream of our new meeting...

Wendy.

Attached file: wendy.zip

The file wendy.zip is a compressed file which contains an executable file named for_greg_with_love.jpg.exe. The worm also creates a copy of itself named xu39reu.tmp and a copy of wendy.zip named x8wui12s.tmp, both in the Windows folder.

If the previous email fails to be sent, W32/Mimail-L will then attempt to send another email without an attachment. This email pretends that the recipient's credit card details have been debited in connection with a transaction for child porn. This appears to be an attempt to panic the recipient, and encourage him to email an address hosted by an anti-spam organisation. The email has the following characteristics:

Message text:

Good afternoon, We are going to bill your credit card for amount of $22.95 on a weekly basis. Free pack of child porn CDs is already on the way to your billing address. If you want to cancel membership and your CD pack please email order and credit card details to security@europe.spamhaus.org

Are you ready for all types of underage porn? We have the best selection for every taste!

Just click the secret links below and have fun:
http://www.spamhaus.org
http://www.spews.org
http://www.register.com
http://www.cardcops.com
http://www.carderplanet.net
http://www.spamcop.net
http://disney.go.com
http://www.authorizenet.com/

Nude boys under 16! Nude girls under 16! Incest, a daddy & a daughter! We have everything you have ever dreamed for!

W32/Mimail-L also attempts denial of service attacks targeting:

www.spamhaus.org
www.spews.org
www.register.com
www.cardcops.com
www.carderplanet.net
www.spamcop.net
www.authorizenet.com
disney.go.com

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer