W32/Mimail.H@mm
Analysis
- Virus is 32bit with a compressed size of 10,784
bytes and is a minor variant of W32/Mimail.E-mm
- Virus uses email to propagate and arrives as a
.ZIP file named "readnow.zip"
- If the virus is run, it will copy itself as "cnfrm33.exe"
to the undefinedWindowsundefined folder and modify the registry to
load this file at Windows startup -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"Cn323" = C:\WINNT\cnfrm33.exe
-
The virus will then exit and run the file "cnfrm33.exe" where it will run as a process in memory
-
The virus will scavenge the hard drive looking for email addresses and save them into a file named "eml.tmp" into the undefinedWindowsundefined folder
-
The virus will then construct an email in this format and send it to all users listed in the file "eml.tmp", where "undefineds" is random characters -
From: john@ (target domain listed in "eml.tmp")
X-Priority: 1 (High)
Subject: don't be late! undefineds
Will meet tonight as we agreed, because on Wednesday I don't think I'll make it,
so don't be late. And yes, by the way here is the file you asked for.
It's all written there. See you.undefineds
Content-Type: application/x-zip-compressed; name="readnow.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="readnow.zip"
-
The attachment "readnow.zip" contains the virus file with a double extension as "readnow.doc.scr"
-
The virus will attempt to connect with an SMTP server at the IP address 212.5.86.163 (ns.lemonti.ru) in order to send its emails to others
-
The virus contains a Denial-of-Service (DoS) attack payload which is carried out against two domains hard coded in the virus
-
The virus will send fragmented ICMP packets and UDP datagrams in a flood attack against the domains
spamhaus.org
spews.org
Recommended Action
- Terminate the process "cnfrm33.exe" on
an infected computer manually using Task Manager
- Delete the files "cnfrm33.exe", "exe.tmp"
and "zip.tmp" from the undefinedWindowsundefined folder
- Block SMTP access to these addresses -
ns.lemonti.ru
212.5.86.163
-
Temporarily block port 80 traffic from Internal to External (INT -> EXT) for the web addresses "spamhaus.org" and "spews.org"
-
Add the following words to the banned words table for email -
meet+tonight+agreed+Wednesday+be+late
· Configure email servers to quarantine email messages matching this pattern, and delete as necessary
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
Extreme | |
FortiAPS | |
FortiAPU | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |