Fandom

Malware Wiki

Mimail

1,328pages on
this wiki
Add New Page
Comments0 Share

Mimail is an email worm that steals passwords and was reported to have caused billions of dollars in damage.

BehaviorEdit

The worm arrives as an email that appears to be from the administrator of the user's domain. If your mail address is kiki_the_black_cat@kitty.cc, the sender line will read admin@kitty.cc. The subject line is "your account" followed by a random string of numbers and letters. The message body informs the user that there is important information about their email account in the attached zip file, Message.zip.

Message.zip contains an htm file, Message.htm, which once opened in unpatched versions of Internet Explorer, creates the file Foo.exe in the temporary internet files folder. Foo.exe is actually the Mimail worm. While Foo.exe is running, the browser shows a black field with red text saying "Please wait loading message.....". Mimail copies itself to the Windows folder as Videodrv.exe. The worm adds the value "VideoDriver = (Windows directory)\videodrv.exe" Local Machine registry key that runs programs on startup It creates another registry key with the value "{11111111-1111-1111-1111-111111111111}".

The worm will capture text from some windows and send the information to a specific email address.

The worm then saves three files to the Windows directory, one, Zip.tmp, a temporary copy of the attachment, Message.zip, a copy of Message.html and eml.tmp, where it will store the email addresses it finds.

Mimail collects email addresses from local files and writes them to the file Windir\eml.tmp. The email addresses will be collected from files with the following extensions:

  • .bmp
  • .jpg
  • .gif
  • .exe
Mimailload

Mimail "loading"

  • .dll
  • .avi
  • .mpg
  • .mp3
  • .vxd
  • .ocx
  • .psd
  • .tif
  • .zip
  • .rar
  • .pdf
  • .cab
  • .wav
  • .com

The worm has its own Zip file format for creating the Zip file and has its own SMTP engine to send infected files. It also has its own smtp engine to send copies of itself.

SourcesEdit

Atli Gudmundsson, Scott Geddis, Symantec.com, W32.Mimail.A@mm

F-Secure Computer Virus Information Pages, Mimail.A

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.