W32/Mimail.U

description-logoAnalysis

  • Virus is 32 bit with a packed file size of 12,080 bytes
  • This virus has instructions to send itself by email however this functionality is inoperable, and to also connect with an IRC server to await instructions from a malicious user
  • This threat may have been received in a spammed email message as an attachment in this format -

    Subject: Your account delete
    Body:
    Your account was deleted.
    Details see in file.
    --
    SSGroup Support
    (212) 799-03-21
    Attachment: [file with .SCR extension]

  • If the attached file is opened or run, it will copy itself to the Windows folder as "smvc32.exe" and then try to locate at least one IRC server and connect to it using TCP port 7814 - once connected, the virus will await instructions from a malicious user

  • The registry is modified to auto run the virus at next Windows startup -

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    "SMVC" = C:\WINNT\smvc32.exe

  • The virus will scan the hard drive for email addresses; all of the collected addresses are saved into a temporary file named "c:\Cyclops.bin"

  • The contents of the .BIN file are then sent in an email to two hard-coded email addresses by the virus

  • The virus contains other code which is non-functional

recommended-action-logoRecommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR