Virus Database

Hafen.781

Description Hafen.781

These are not dangerous nonmemory resident parasitic viruses. They search for .EXE files of the subdirectory tree, and write themselves to the end of the file.
"Hafen.1640,1641,1689" contain the decrypted body of "Ambulance" virus, and infect .COM files with this sample (drop the virus). "Hafen.809" decrypts and displays the message:
Hafenstraße bleibt !

"Hafen.781" decrypts and prints to the printer the message:
Kilroy was here - (C) 1991, VDV.

"Hafen.818" creates the files with the random names, these files contain the text:
Hafenstraße bleibt !

"Hafen.1191" manifests itself with a moving picture:

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Mimail.c

Description I-Worm.Mimail.c
Mimail.c, also known as I-Worm.WatchNet is the latest version of a potent Internet worm that spreads via the Internet in the form of a file attachment named photos.jpg.zip sent via email. Mimail is a Windows application file (PE EXE file) with a size of about 12KB compressed by UPX. The uncompressed size is about 27KB.
Infected email messages include the following content:
Sender address:
james@recipient domain
Subject:
Re[2]: our private photos
Body Text:
Hello Dear!,
Finally i've found possibility to right u, my lovely girl :)
All our photos which i've made at the beach (even when u're without ur bh:))
photos are great! This evening i'll come and we'll make the best SEX :)

Right now enjoy the photos.
Kiss, James.
Attachement:
photos.jpg.zip
(actual name is "photos.jpg.exe")
The Mimail.c worm only gains control if a victim opens the file attachment.
Reproduction
Mimail writes its into the Windows directory under the name netwatch.exe and then registers itself in the auto-run key file in the system registry:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
NetWatch32 = %windir% etwatch.exe

Mimail also creates the following files in the Windows directory:
exe.tmp
zip.tmp - a Zip archive of the worm (the compression method is 'stored')
eml.tmp - list of email addresses detected on infected (victim) computers

To create the ZIP archive the Mimail.c worm uses its own procedure that is built into its own code.
Spreading
To mail out infected messages (of itself), Mimail.c uses its own SMTP engine. To detect email addresses to target, the worm searches for address strings in files located in the Shell Folders and Program Files directories.
Other Information
Mimail.c watches for activity from the e-gold payment system (http://www.e-gold.com) application. If this application is detected, Mimail.c records some specific data from it in the file c: mpe.tmp. This file is sent out to four email addresses belonging to the worm's author.
Mimail.c executes a DDoS attack against the web sitew www.darkprofits.com and www.darkprofits.net by sending to them an endless cycle of packets of random sizes.

I-Worm.Mimail.g

Description I-Worm.Mimail.g

This is a variant of I.Worm.Mimail.e. It is approximately 10Kb in size, and compressed using UPX. The uncompressed file is approximately 22Kb in size.
How Mimail.e differs from earlier versions


The worm copies itself to the Windows directory under the name 'sysload32.exe' and registers this file in the system registry auto-run key:

[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
"SystemLoad32" = "%windirsysload32.exe"
Infected mails contain the following:

Sender's address:
john@recipient domain
Message header:
don't be late!
Message body:
Will meet tonight as we agreed, because on Wednesday I don't think I'll make it, so don't be late. And yes, by the way here is the file you asked for. It's all written there. See you.
Attachment:
readnow.zip
The attached file contains the worm under the name 'readnow.doc.scr'

This version of the worm does not contain the function which enables it to steal E-Gold users' information.

The worm carries out a DoS attack on the site mysupersales.com in the same way that I-Worm Mimail.c does.

Home