How this particular identity-theft mass-mailing worm works...
Win32/Mimail.p@MM is a mass-mailing worm, intended to email itself from computer-to-computer using target email addresses harvested from infected computers. This worm uses its own SMTP mailer engine —it doesn't rely on any specific e-mail client.
IDENTITY THEFT! Additionally, it's email-attachment file payload (usually pp-app.zip in this variation) is designed to steal credit card and other personal information from any unwitting victim.
Here's what a typical Win32/Mimail.p@MM worm email message looks like when received in Microsoft Outlook:
The "From:" address used by the worm is fake, to make the message appear to come from PayPal.com.
The ":To:" address (shown in the example as "Your Name") may be the victim's name or some other stolen/faked name.
The "Subject:" field typically contains this text, "GREAT NEW YEAR OFFER FROM PAYPAL.COM!", followed by a string of random characters.
When email-attached file (the worm) is opened (executed) it copies files to onto the victim's computer into the windows directory, then modifies the Windows registry to launch itself at the next system startup.
When sending e-mail, Win32/Mimail.p@MM harvests e-mail addresses from the victim's computer by searching a number of folders where email addresses are commonly stored by various programs. All e-mail addresses the worm finds on the victim's computer are stored in the file "OUTLOOK.CFG", which the worm creates in the Windows folder.
When sending e-mail to a particular address, Win32/Mimail.p@MM contacts a DNS server in order to receive the default mail server name (from MX records) for a given domain, For example, when sending an e-mail to firstname.lastname@example.org, the worm would find the name of the mail server for the domain "myisp.com" and then connect directly to that mail server (port 25, using SMTP). Win32/Mimail.p@MM doesn't try to send e-mail if the user machine isn't connected to the Internet. determine that a user machine is connected to the Internet. In order to verify Internet-connectivity, the worm attempts to connect to www.google.com. The purpose of the outgoing messages sent by the worm is to spread the worm (in the ZIP file attachment).
The W32/Mimail.p@MM worm mailing/message is constructed to fool the recipient into thinking it's a legitimate letter from PayPal.com. If an Internet connection is detected on execution, two forms are displayed asking for credit card and personal information. Once this information is filled in, it is sent to a remote website.
When first run, Mimail.P displays the following window:
If sufficient details are entered, it then displays this message:
Finally, it displays this message:
The worm saves the information entered into the two identity-theft forms to a temporary file, and the main worm executable constantly checks for the presence of that temp file. If/when it's found, the worm sends victim's personal data to several different e-mail addresses. The worm also collects the victim's ISP/dialup information from the MS Windows registry: RAS, POP and SMTP server accounts.
The worm can send out all it's collected loot (all the email addresses found on the victim's machine, the victim's personal data from forms-fillin, and the ISP/email server info) using server applets hosted on a Russian website. It may also modify the victim's default MSIE home page.
Also, don't expect a fake email to be "crude" in any way! These identity theives copy real webpages and forms from actual commercial sites to make their fake mailings/websites/forms look identical to the real McCoy!
Play it safe! Don't open ANY email attachments, even those that appear to come from your friends, unless you personally solicited the attachment from them, or have checked with them about it first.
The Police Notebook, Copyright © 2004,
Sponsor: OU Police Department — Developer: Richard M. Hamilton, OUPD