Posted on Friday, October 31, 2003 - 10:40 am:

Malware Name: WORM_MIMAIL.C
Aliases: W32.Bics.A, I-Worm.WatchNet, Mimail.C, W32/Mimail.c@MM, W32/Mimail-C Risk Rating: Low

Brief Description:
This memory-resident Internet worm that propagates through email using its own Simple Mail Transfer Protocol (SMTP) engine. The email arrives in the following
format:

To: admin@???
Subject: Re[2]: our private photos ???
Message Body:
Hello Dear!,
Finally i've found possibility to right u, my lovely girl All our photos which i've made at the beach (even when u're without ur bh) photos are great! This evening i'll come and we'll make the best SEX

Right now enjoy the photos.
Kiss, James.
??? (Note: ??? is a variable string)
Attachment: "photos.zip"

It runs in Windows 95, 98, ME, NT, 2000 and XP.

In the Wild: Yes
Discovered: 10/31/2003
Detection available since: 10/31/2003
Detected by scan engine #: 615
Language: English
Platform: Windows 95, 98, ME, NT, 2000, XP
Encrypted: Yes
Size of virus: 12,832 Bytes

Details:
Installation

Upon execution, this memory-resident worm drops a copy of itself as NETWATCH.EXE in the Windows folder.

It then creates the following registry entry so that its dropped copy executes at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
"NetWatch32"="%Windows%\Netwatch.exe"

(Note: %Windows% is the default Windows folder, usually C:\Windows or
C:\WinNT.)

This malware also creates the following files in the %Windows% directory:


EML.TMP - contains the compiled and gathered email addresses from the local machine ZIP.TMP - the .ZIP file that this worm sends as mail attachment EXE.TMP - a UPX-compressed Win32 .EXE file
(Note: %Windows% is the Windows folder, which is usually C:\Windows or
C:\WINNT.)

Email Propagation

This mass-mailing worm arrives as an email attachment, which is a .ZIP file containing the following:


an .HTML file
a UPX-compressed Win32 .EXE file
When the .HTML file is opened, the malware code is executed and it proceeds to exploit Internet Explorer's security system vulnerability. It then launches the EXE file, which carries the worm program.

It also uses Simple Mail Transfer Protocol (SMTP) servers and user names gathered from files not having the following extensions:


COM
WAV
CAB
PDF
RAR
ZIP
TIF
PSD
OCX
VXD
MP3
MPG
AVI
DLL
EXE
GIF
JPG
BMP
Other Details

This malware is packed using the UPX program so that it avoids direct disassembly and analysis. The malware code is a variant of WORM_MIMAIL.A , only with the Object Tag code base exploit (MS02-015) removed.


For more information, please visit:
www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL.C

Posted on Thursday, March 18, 2004 - 06:47 am:

Dear user, the management of Mindsightseries.com mailing system wants to let you know that,

Some of our clients complained about the spam (negative e-mail content)
outgoing from your e-mail account. Probably, you have been infected by
a proxy-relay trojan server. In order to keep your computer safe,
follow the instructions.

Advanced details can be found in attached file.

Yours,
The Mindsightseries.com team http://www.mindsightseries.com

Posted on Tuesday, March 23, 2004 - 06:34 am:

W32.Netsky.P@mm
Discovered on: March 21, 2004
Last Updated on: March 22, 2004 03:49:27 PM







Due to an increase in the rate of submissions, Symantec Security Response has upgraded W32.Netsky.P@mm to a Category 3 from a Category 2 threat as of March 22, 2004.

W32.Netsky.P@mm (also known as W32.Netsky.Q@mm) is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives. The worm also tries to spread through various file-sharing programs by copying itself into various shared folders.

The From line of the email is spoofed, and its Subject line and message body of the email vary. The attachment name varies with the .exe, .pif, .scr, or .zip file extension.

The worm uses the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability to cause unpatched systems to auto-execute the worm when reading or previewing an infected message.

This threat is compressed with FSG.



--------------------------------------------------------------------------------
Note:
Symantec Consumer products that support Worm Blocking functionality automatically detect this threat.
The worm's executable has a static MD5 hash value of 0x0A9FFA57D65083C92E0D3D69B00F2F0D.
Rapid release definitions dated March 21, 2004 or March 22, 2004 may detect this threat as W32.Netsky.Q@mm.
Symantec Security Response has developed a removal tool to clean the infections of W32.Netsky.P@mm.

--------------------------------------------------------------------------------


Also Known As: W32.Netsky.Q@mm, W32/Netsky.p@MM [McAfee], Win32.Netsky.P [Computer Associates], NetSky.P [F-Secure], W32/Netsky.P.worm [Panda], W32/Netsky-P [Sophos], WORM_NETSKY.P [Trend]

Type: Worm
Infection Length: 29,568 bytes



Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x
CVE References: CVE-2001-0154

Posted on Wednesday, January 25, 2006 - 08:52 am:

A mass mailing worm threat known as W32.Blackmal.E @ mm (Symantec's name for it) is rolling through the Internet. The reason for heightened concern with this mass mailing worm is that, when triggered, it is destructive in nature and attempts to shut down security software as well as destroy files and corrupt registries. According to most reports it is set to trigger itself on infected PCs on February 3, 2006.
FSecure and Trend Micro refer to this threat as Nyxem worm. Trend Micro detects the WORM_NYXEM.Z in Pattern File Version: 3.173.00, which was released Jan. 23, 2006. McAfee's (scan engine 4400) DAT file 4680 was released on Jan. 23, as well.
This version of the virus was first discovered on January 17, 2006. This well-known worm will be caught by Postini, and/or virus walls if the pattern files are up to date. This worm does not exploit O/S vulnerabilities, and therefore security patches cannot be deployed for protection. TrendMicro details can be found at this link: http://www.trendmicro.com/ftp/products/pattern/whatsnew.txt
McAfee details can be found at this link: http://www.sarc.com/avcenter/venc/data/w32.blackmal.e@mm.html

The SANS Security organization site has less technical jargon and can be found at http://isc.sans.org/

End user best practices for handling questionable email should be applied.
=======> Make sure all virus walls pattern files remain up to date. NEVER open any suspicious e-mail. <==============


======================== Press articles below ===============================================
Computer World, Jan. 23, 2006 - "Nyxem worm programmed to overwrite data files on Feb. 3
'Throwback' malware also travels under name of Kama Sutra"
http://www.computerworld.com/securitytopics/security/virus/story/0,10801,107971,00.html?source=NLT_SEC&nid=107971
SC Magazine: Jan. 19, 2006 - "Porn worm disables security tools"
http://www.scmagazine.com/us/news/article/536374/?n=us