Panda Software reports the new Mimail.Q worm

– It tries to steal confidential information by displaying a form that passes itself off as a Microsoft form
– This malicious code is designed to spread rapidly and effectively via e-mail, and therefore, could collapse computer networks

PandaLabs has detected the new Mimail.Q (W32/Mimail.Q.worm) worm. This new variant is very similar to its predecessors and according to data collected by Panda Software’s international support network, has already caused some incidents. Mimail.Q spreads via e-mail and its most dangerous effect is that it has been designed to try to steal confidential data. It does this using a form that simulates a form belonging to Microsoft warning the user that the Windows license has expired.

Mimail.Q reaches computers in an e-mail message with an extremely variable sender, subject, message body and attachment. An example of the characteristics of an e-mail message carrying this worm is the following: Subject: very nice picture
Good evening Ella
I shocked
My boss had best sex last evening with the mom of Jeremy!
I turned on my hp device and make cool pictures!
Please don’t show it to somebody, I rely on you.
Attachment: privateimgs.gif.exe

For the full list of characteristics, visit Panda Software Virus Encyclopedia. The attached file is polymorphic and actually contains a dropper. When this file is run, it installs Mimail.Q on the computer in a file called outlook.exe. When it has been installed on a computer, Mimail.Q looks for e-mail addresses to send itself to in different types of files. It stores the addresses it finds in a file called outlook.cfg. Mimail.Q also tries to steal confidential information from affected computers. In order to do this, it displays a fake form that warns users that their Windows license has expired, and prompts them to renew it. This form requests personal data including a credit card number, its expiry date and its PIN. Finally, the worm creates an entry in the Windows Registry to ensure that it is run whenever the affected computer is started up.

Don't miss