November 03, vnunet.com
Destructive MiMail variant hits Web.
Antivirus firms have warned of a destructive worm that has just emerged in the wild. The W32/Mimail.c@MM, also known as Mimail.c, is a dangerous worm that bears similarities to W32MiMail@MM. Mimail.c contains its own SMTP engine for constructing messages, and mails itself as a zip or upx attachment. After being executed, Mimail.c e−mails itself out as an attachment with the filename 'Photos.zip'. Target e−mail addresses are harvested from the victim's machine and are written to the file eml.tmp in WinDir. Users should immediately delete any email containing the following
1) Subject: Re[2]: our private photos [plus additional spaces then random characters]
2) Attachment: 'photos.zip' (12,958 bytes) which contains 'photos.jpg.exe' (12,832 bytes).
Also, in a bid to make the virus e−mails less conspicuous, the 'From' address of infected outgoing messages may be spoofed with james@(target domain.com) − for example, james@abc.com.
Source: http://www.vnunet.com/News/1146971
Destructive MiMail variant hits Web.
Antivirus firms have warned of a destructive worm that has just emerged in the wild. The W32/Mimail.c@MM, also known as Mimail.c, is a dangerous worm that bears similarities to W32MiMail@MM. Mimail.c contains its own SMTP engine for constructing messages, and mails itself as a zip or upx attachment. After being executed, Mimail.c e−mails itself out as an attachment with the filename 'Photos.zip'. Target e−mail addresses are harvested from the victim's machine and are written to the file eml.tmp in WinDir. Users should immediately delete any email containing the following
1) Subject: Re[2]: our private photos [plus additional spaces then random characters]
2) Attachment: 'photos.zip' (12,958 bytes) which contains 'photos.jpg.exe' (12,832 bytes).
Also, in a bid to make the virus e−mails less conspicuous, the 'From' address of infected outgoing messages may be spoofed with james@(target domain.com) − for example, james@abc.com.
Source: http://www.vnunet.com/News/1146971