Some security vendors Thursday issued alert for W32/Mimail.s@MM, a worm that contains its own SMTP engine to replicate itself and also attempts to steal user's credit card information data.

The worm harvests email addresses from the victim's computer by appending .org, .net or .com to certain strings found in files in the directory C:\Program Files, according to McAfee. These email addresses are then written to:

C:\windows\outlook.cfg The subject and body of the email message sent out is constructed from strings found in the worm body. For example:

Subject: here is the file you asked for
Body: Hi! Here is the file you asked for!
Attachment: document.txt.scr

Similarly, filenames and extensions used for the attachment are constructed from strings found within the worm body. The attachment is BASE64 encoded. The following are the possible file extensions used:

  • pif
  • scr
  • exe
  • jpg.scr
  • jpg.pif
  • jpg.exe
  • gif.exe
  • gif.pif
  • gif.scr

    This worm attempts to steal user's credit card information by displaying the below fake Microsoft licensing window. (image is cropped) The stolen credit card numbers are sent to email addresses found in the worm's body. The addresses are within the domains @mail15.com and @ziplip.com. The stolen information is stored in the file:
    C:\XX

    Find out more at this McAfee page.

    W32.Mimail.S@mm is variant of W32.Mimail.A@mm. The worms display a dialog box prompting a user for credit card information, according to Symantec.

    The worm scans infected computers for email addresses, sending itself as an attachment to the addresses found. The message body and subject lines can vary.

    Note: This threat was previously detected as W32.Mimail.R@mm.

    Technical details are at this Symantec page.

    According to Panda Software, Mimail.S is a worm that spreads via e-mail in a message with variable characteristics.

    Mimail.S displays a dialog box that passes itself off as a form for renewing Windows licenses. By doing this, it attempts to trick the user into giving confidential information, such as credit card number and personal identification number (PIN).

    Mimail.S sends itself out to all the addresses it finds on the affected computer -using its own SMTP engine in an e-mail with the following characteristics:

    Subject: a random combination of the following phrases: Re: ,Re[2]: ,Re[3]:/ smart,cool,sexy,super/ pics,images,pictures,photos,photo,picture/private, only for you, just for you, imortant, very important
    Message: constructed in the same way as the subject with texts like: Hi,Hello,Good evening/ my dear, my dearest, my darling/ Adeline, Alice, Ann, Annice, Barbara, etc.
    Attachment: Encoded in BASE64, and it consists of four parts:
    my,priv,private,prv,the,best,super,great,cool,wild,sex,fuck
    _,-,__
    pic,img,phot,photos,pctrs,images,imgs,scene,plp,act,action
    .pif,.scr,.exe,.jpg.scr,.jpg.pif,.jpg.exe,.gif.exe,.gif.pif,.gif

    Mimail.S tries to steal the credit card details of the user of the infected computer. In order to do this, it displays a fake form that warns users that their Windows license has expired, and prompts them to renew it. This form requests personal data including a credit card number, its expiry date and its PIN.

    After the user has entered the requested data, Mimail.S checks if the credit card number is correct and if it isn't, it displays an error message.

    Mimail.S saves the information it obtains in a file called c:\xx and sends it out to several e-mail addresses stored in its code and whose domains are juashjd@ziplip.com and lozinsky@mail15.com.

    Finally, Mimail.S creates an entry in the Windows Registry in order to ensure it is run whenever the computer is started up.

    More information is at this Panda Software page.

    The Mydoom.A Epidemic Continues to Grow

    Mydoom.A is still spreading rapidly. One in every five e-mails is carrying this worm, making four million infected e-mails currently in circulation, according to data collected by Panda Software.

    Mydoom.A has infected six times more computers than Bugbear.B, the second most frequently virus detected. Corporate environments around the globe have been hit the hardest by Mydoom.A, and for this reason, the number of infected computers has reached 400,000, the vendor reports. Furthermore, CNN estimates that the losses generated by this worm--due to loss of productivity, tech support expenses--could reach 250 million dollars.

    The Mydoom.A worm is designed to attack and saturate networks of any size. It also creates a backdoor in the infected computers which could allow hackers to steal or compromise key corporate data.

    On Wednesday, Mydoom.B was detected, which is potentially more dangerous than its predecessor: This variant is designed to prevent many antivirus programs from updating correctly.

    Some stats collected by Panda Software are:
    --Four million e-mails infected with this worm are in circulation
    --Companies without protection installed who survived the first wave of infected messages are now the main victims
    --This worm is expected to cost over $250 million
    --At the moment, variant B -detected Wednesday--is not generating a large number of incidents
    --At the same time as Mydoom.B appeared, the S variant of Mimail was detected, which passes itself off as an e-mail from Microsoft in order to steal confidential user information

    Due to the possibility of being infected by Mimail.S, Mydoom.A and Mydoom.B, Panda Software advises users to treat all e-mails received with caution, and to update their antivirus solutions if they haven't already done so.

    More information is at this Panda Software page.

    Password Stealing Trojan and Worm May Arrive in HTML File

    W32/Eyeveg-B is a password stealing Trojan and network worm. The worm may arrive in an HTML file that exploits a Microsoft Internet Explorer vulnerability which allows the worm to be executed.

    For further information on this vulnerability and for details on how to protect/patch the computer against such attacks please see Microsoft security bulletin MS02-015.

    When first run, W32/Eyeveg-B copies itself to the Windows System folder using a random filename and adds its pathname to the following registry entry so that it is run automatically each time the computer is started:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\

    W32/Eyeveg-B the attempts to send cached passwords and system information to a remote location.

    W32/Eyeveg-B spreads to shared drives on the local network, copying itself to the startup folder specified in the following registry entry:

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Explorer\Shell Folders\Common Startup

    Instructions for removing worms are at this Sophos page.

    Trojan Uses IRC Channels to Control Computer

    Backdoor.Aphexdoor is backdoor Trojan horse that uses the IRC channels to control a victim's computer.

    Technical details are at this Symantec page.

    Backdoor Trojan Connects to IRC Server to Receive Commands

    W32.IRCBot.C is a UPX-packed Backdoor Trojan Horse that connects to an IRC server and waits for commands from an attacker.

    Technical details are at this Symantec page.

    --Compiled by Esther Shein