Weekly Virus Report – Daker.A and Four Variants of Mimail Worms
This week’s report on malicious code will focus on a worm called Daker.A and four variants of Mimail.
Darker.A reaches computers in an e-mail message that includes an attached file and tries to trick the user into thinking that the attachment is a useful computer application. When this file is run, the worm sends itself out to the contacts it finds on the affected computer (in programs like Outlook or MSN Messenger or in files with certain extensions -WAB, HTM, HTML, TXT, etc.-). This malicious code also tries to spread through the following P2P (peer to peer) file sharing programs: KaZaA, Morpheus and Grokster.
Darker.A replicates by creating copies of itself without infecting other files. It also connects to an IRC server in order to allow hackers to gain remote access to the compromised computer and carry out different actions. These actions include: downloading, running and deleting files, obtaining information on the system, closing antivirus applications and running ICMP commands.
The E, F, G and H variants of Mimail spread in an e-mail message with the subject ‘don’t be late!’ and an attached file called READNOW.ZIP. When this file is decompressed, it creates a file with a double extension called READNOW.DOC.SCR.
These variants of Mimail are designed to send themselves out via e-mail using their own SMTP engine. Similarly, they try to launch Denial of Service (DoS) attacks on several websites and go memory resident in the computer. The differences between these variants include the following:
– The servers they launch Denial of Service attacks on: Variants E and F target spews.org, spamhaus.org and spamcop.net, whereas variant F attacks fethard.biz and fethard-finance.com, and the objective of variant G is mysupersales.com.
– All four variant are written in the C programming language with the LCC Win32 compiler. They are 10,784 bytes in size when compressed with UPX and when they are decompressed, the size of variants E, F and H increases to 23,072 bytes, whereas the size of variant G increases to 22,560 bytes.
Unlike Mimail and Mimail.B, variants E, F, G and H do not exploit the Codebase and MHTML vulnerabilities to spread.