mimail trojan horses [WAS: Re: [Full-Disclosure] Fwd: YOUR PAYPAL.COM ACCOUNT EXPIRES]

[Gadi Evron <ge@linuxbox.org>]

> Actually the answer just came right now:
> http://www.sophos.com/virusinfo/analyses/w32mimaili.html
>
> W32/Mimail-I is a worm which spreads via email using addresses harvested from the hard drive of your computer. All email addresses found on your PC are saved in a file named el388.tmp in the Windows folder. 
> In order to run itself automatically when Windows starts up the worm copies itself to the file svchost32.exe in the Windows folder and adds the following registry entry: 

mimial has been making rounds for a while now. I doubt it's the last 
variant we'll see.
The author sure is consistent though.
--
      Gadi Evron,
      ge@linuxbox.org.

The Trojan Horses Research mailing list - http://ecompute.org/th-list

My resume (Hebrew) - http://vapid.reprehensible.net/~ge/resume.rtf

PGP key for ge@linuxbox.org -
http://vapid.reprehensible.net/~ge/Gadi_Evron.asc
Note: this key is used mainly for files and attachments, I sign email 
messages using:
http://vapid.reprehensible.net/~ge/Gadi_Evron_sign.asc


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html