W32/Mimail.Q@mm
Analysis
- Virus is 32 bit and polymorphic, with a compressed
file size of 32,768 bytes
- If the virus is run, it will display a fake error
message with this text -
Windows
Error: Bad CRC32
[OK]
-
The virus will copy itself to the local system as two files -
undefinedWindowsundefined\outlook.exe
undefinedWindowsundefined\sys32.exe
-
The file "sys32.exe" is polymorphic among replications - each time this file is created [among infected users], it is different in binary code but maintains the same file size
-
The virus will begin looking in every file for email addresses - some files are not "scanned" by the virus - and all addresses are stored into a file named "outlook.cfg" and stored into the undefinedWindowsundefined folder
-
The virus will attempt to use the mail server associated with the domain of the email address found - the virus will attempt to send itself using its own SMTP engine
-
The format of each email will be varied - the subject line and body text is different in each message sent
-
The file attachment extension is varied between .PIF, .SCR and .EXE with a possibility that double-extensions are used, such as .GIF.EXE, .JPG.SCR and so on
-
The virus will next attempt to open a connection on the Internet to TCP port 3000 and in some cases TCP port 6667 - this functionality supports a remote connection such that a hacker could read contents of the hard drive or perform other actions
-
The virus will create an HTML application file as "C:\mshome.hta" - the HTML application will display what appears to be a notice from Microsoft that the Windows operating system end-user license has expired; further, the constructed form page requests financial information
-
Any details entered into the form fields is stored in local files named "c:\mminfo.txt" - this stored file could be retrieved if a hacker were to connect to the infected system on the open TCP port
Recommended Action
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |