Mimail worm spreads in e-mails as a ZIP archive that contains the worm's executable with PHOTOS.JPG.EXE name. The worm tries to perform a DoS (Denial of Service) attack on certain sites and to steal information from infected computer users.
[Description]:
The worm's file is a PE executable 12832 bytes long packed with UPX file compressor. The unpacked file's size is 28192 bytes.
Spreading in e-mails
--------------------
The worm spreads in e-mails as a ZIP archive that contains the worm's executable with the PHOTOS.JPG.EXE name. The worm fakes the sender's e-mail address by composing it from 'james@' and the domain name of a recipient. An infected message looks like that:
From:
james@recipient_domain_name
Subject:
Re[2]: our private photos <some random characters>
Body:
Hello Dear!,
Finally i've found possibility to right u, my lovely girl 😊
All our photos which i've made at the beach (even when u're without ur bh😊)
photos are great! This evening i'll come and we'll make the best SEX 😊
Right now enjoy the photos.
Kiss, James.
<some random characters>
Attachment:
photos.zip
The worm does not use any exploits to make its file start automatically on a recipient's system. The worm will infect a recipient's computer only when he/she unpacks the executable file from the archive and runs it.
To collect victim's e-mail addresses the worm scans all files on a hard drive except those with the following extensions:
bmp
jpg
gif
exe
dll
avi
mpg
mp3
vxd
ocx
psd
tif
zip
rar
pdf
cab
wav
com
The addresses are saved into the EML.TMP file located in Windows directory.
The worm tries to contact the recipient's SMTP server directly. For this purpose it tries to resolve the current user's DNS server and search for SMTP server info for recipient's domain.