W32/Mimail.U
Analysis
- Virus is 32 bit with a packed file size of 12,080
bytes
- This virus has instructions to send itself by email
however this functionality is inoperable, and to also
connect with an IRC server to await instructions from
a malicious user
- This threat may have been received in a spammed
email message as an attachment in this format -
Subject: Your account delete
Body:
Your account was deleted.
Details see in file.
--
SSGroup Support
(212) 799-03-21
Attachment: [file with .SCR extension]
-
If the attached file is opened or run, it will copy itself to the Windows folder as "smvc32.exe" and then try to locate at least one IRC server and connect to it using TCP port 7814 - once connected, the virus will await instructions from a malicious user
-
The registry is modified to auto run the virus at next Windows startup -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"SMVC" = C:\WINNT\smvc32.exe
-
The virus will scan the hard drive for email addresses; all of the collected addresses are saved into a temporary file named "c:\Cyclops.bin"
-
The contents of the .BIN file are then sent in an email to two hard-coded email addresses by the virus
-
The virus contains other code which is non-functional
Recommended Action
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |