W32/Mimail.Q@mm

Windows
Error: Bad CRC32
[OK]

The virus will copy itself to the local system as two files -

undefinedWindowsundefined\outlook.exe
undefinedWindowsundefined\sys32.exe

The file "sys32.exe" is polymorphic among replications - each time this file is created [among infected users], it is different in binary code but maintains the same file size

The virus will begin looking in every file for email addresses - some files are not "scanned" by the virus - and all addresses are stored into a file named "outlook.cfg" and stored into the undefinedWindowsundefined folder

The virus will attempt to use the mail server associated with the domain of the email address found - the virus will attempt to send itself using its own SMTP engine

The format of each email will be varied - the subject line and body text is different in each message sent

The file attachment extension is varied between .PIF, .SCR and .EXE with a possibility that double-extensions are used, such as .GIF.EXE, .JPG.SCR and so on

The virus will next attempt to open a connection on the Internet to TCP port 3000 and in some cases TCP port 6667 - this functionality supports a remote connection such that a hacker could read contents of the hard drive or perform other actions

The virus will create an HTML application file as "C:\mshome.hta" - the HTML application will display what appears to be a notice from Microsoft that the Windows operating system end-user license has expired; further, the constructed form page requests financial information

Any details entered into the form fields is stored in local files named "c:\mminfo.txt" - this stored file could be retrieved if a hacker were to connect to the infected system on the open TCP port