Virus Database

Galt.1574

Description Galt.1574

It is a harmless memory resident parasitic stealth virus. It traces and hooks INT 21h and then writes itself to the end of COM and EXE files that are accessed. The virus contains the text strings:
22/07/95
John Galt - RT Fishel

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Mimail.j

Description I-Worm.Mimail.j
This worm is a modification of I-Worm.Mimail.i
It spreads via the Internet as a file named InfoUpdate.exe attached to infected messages. The worm itself is a Windows PE EXE file, packed with UPX. The size of the compressed file is approximately 13KB and the size of the decompressed file is approximately 30KB.
Characteristics of infected messages:
Sender's address:
Do_Not_Reply@paypal.com
Message header
IMPORTANT
Message body
Dear PayPal member, We regret to inform you that your account is about to be expired in next five business days. To avoid suspension of your account you have to reactivate it by providing us with your personal information.
To update your personal profile and continue using PayPal services you have to run the attached application to this email. Just run it and follow the instructions. IMPORTANT! If you ignore this alert, your account will be suspended in next five business days and you will not be able to use PayPal anymore.
Thank you for using PayPal.
Attachment name:
www.paypal.com.pif or InfoUpdate.exe
All other details, such as how the worm installs itself, manifests itself in the system and replicates are the same as I-Worm.Mimail.i

I-Worm.Mimail.p

Description I-Worm.Mimail.p

This worm spreads via the Internet in the form of files attached to infected messages.
The worm is a Windows PE EXE file of 57888 bytes.
Contents of infected messages:
Sender:
donotreply@paypal.com
Message header:
"GREAT NEW YEAR OFFER FROM PAYPAL.COM!"
Message text:
*** GREAT NEW YEAR OFFER FROM PAYPAL.COM ***


Dear PayPal.com Member,

We here at PayPal.com are pleased to announce that we have a special New Year offer for you! If you currently have an account with PayPal then you will be eligible to receive a terrific prize from PayPal.com for the New Year. For a limited time only PayPal is offering to add 10% of the total balance in your PayPal account to your account and all you have to do is register yourself within the next five business days with our application (see attachment)!

If at this time you do not have a PayPal account of your own you can also register yourself with our secure application and get this great New Year bonus! If you fill out the secure form we have provided PayPal will create an account for you (it's free) and you will receive a confirmation e-mail that your account has been created.

That's not all! If you resend this letter (with its attachment) to all of your friends you may be eligible to receive another New Year bonus because the 1000 PayPal members that send the most of these to their friends will get the bonus. If you are one of these 1000 lucky members then PayPal will add 17% of your total balance to your account!

Registration is simple. Just unpack the attachment with WinZip, run the application, and follow the instructions we have provided. If you have problems opening the application then you may want to try downloading a free version of WinZip from http://www.winzip.com

Do not miss your chance at this fantastic opportunity! Thousands of our current customers have already received their prizes and now it's your turn; so hurry up and take advantage of this special offer!

Best of luck in the New Year,
PayPal.com Team
Attachment name:
pp-app.zip
The worm is activated only when the user opens the archive and runs the infected file. When this is done, the worm installs itself to the system, and begins replicating.
Installation
The worm copies itself to the Windows system directory under the name 'Winmgr.32.exe' and registers this file in the system registry auto-run key:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
"WinMgr32" = "%Windir%winmgr32.exe"
In the C: root directory the worm creates the following files: "index.hta", "index2.hta", "tmpcan3.txt" and "tmpny3.txt" which are used by the dialogue boxes.
The worm also creates the files
zipzip.tmp
ee98af.tmp
in the Windows directory.
How the worm sends mail
To send infected messages the worm uses its own SMTP library. In order to send messages directly to the recipient's smtp server, the worm makes use of DNS server 212.5.86.163
To find email addresses to send messages to, the worm looks for address lines which contain the following suffixes:
.ca
.au
.uk
.us
.edu
.gov
.mil
.de
.it
.ru
.fr
.info
.org
.net
.com
@email.msn.com
@prodigy.net
@safe-mail.net@excite.com
@zwallet.com
@erols.com
@bigpond.com
@usa.net
@bigfoot.com
@bellsouth.net
@attglobal.net
@att.net
@attbi.com
@email.it
@lycos.com
@sbcglobal.net
@shaw.ca
@themail.com
@verizon.net
@yahoo.com
@msn.com
@mail.com
@hotmail.com
@earthlink.net
@aol.com
but does not search for addresses in files with the following extensions: jpg, gif, exe, dll, avi, mpg, mp3, vxd, ocx, psd, tif, zip, rar, pdf, cab, wav, com.
Other information:
When executed, the worm displays a dialogue box on screen which asks for PayPal credit card details. Data entered is stored in 'c: mpny3.txt' and is then sent on to the author of the worm.



The worm opens port 5555 to listen for commands.
In a similar way to versions Mimail.a,Mimail.b and Mimail.c, the worm is able to steal information from E-Gold users. The worm also sends its author the following information about the infected system:
Account Name
POP3 Password2
POP3 Server
POP3 User Name
NNTP Server
NNTP User Name
SMTP Server
SMTP Display Name
SMTP Email Address
SMTP Organization Name
RAS Information
INETCOMM Server Passwords
The worm changes the home page in Internet Explorer to a link containing pictures of George Bush: http://www.anvari.org/db/fun/World_Trade_Center/Bush_Monkey.jpg.

Home