(Continued from previous message)

At the time of writing, Sophos has received just one report of this worm
from the wild.

Description
W32/Mimail-T is an email worm.

W32/Mimail-T copies itself to the Windows folder with the filename
kaspersky.exe and sets the following registry entry so as to run itself on
system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KasperskyAv

W32/Mimail-T contains the following text:

"*** GLOBAL WARNING: if any free email company or hosting company will
close/filter my email/site accounts, it will be DDoS'ed in next version.

WARNING: centrum.cz will be DDoS'ed in next versions, coz they have closed
my mimail-email account. Who next? ***"





W32/Holar-J

Aliases
W32.Galil.F{at}mm

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm
from the wild.

Description
W32/Holar-J is a worm which spreads by emailing itself via SMTP or via
Microsoft Outlook. The worm also attempts to spread via MSN Messenger.

When run for the first time the worm displays the following false error message:

"The WinZip Wizard cannot open this file it does not apear to be a
valid archive. if you downloaded this file, try downloading it again. if
you want to add this file to an archive, first create or open the archive,
then drop the file again."

W32/Holar-J is composed of a main dropper which drops and executes the
files SYSCHK.EXE and SMTP.OCX within the Windows system folder. SMTP.OCX
contains the worm's SMTP functionality and is detected by Sophos as
W32/Holar-G.

The dropper also creates copies of SYSCHK.EXE as MIZZABBAT.EXE in the
Windows folder and as ZACKER.EXE in a new folder called SYS32S within the
Windows folder.

The worm creates an entry in the registry at the following location to run
itself on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemChecker

W32/Holar-J creates the following CAB archives which contain the file RUNHELP.INF:

C:\\RUNHELP.CAB
C:\\SYS32S\RUNHELP.CAB

RUNHELP.INF attempts to run the file ZACKER.EXE.

W32/Holar-J also creates a file called FOLDER.HTT in the Windows web folder.

Emails have the following characteristics-

the subject line and message text may be absent or may be combinations of
the following: "Fw:" "Re:" "hey Check this out
:)" "Hey I thought you trusted me but ... i haven't thought i
should send u my briefcase to gain ur Trust. Have it all :) bye"
"Hey Wussap? Here is the Emmy :) Dont tell Sam abt it Cya"
"Another one?" "Heyyyy I lost the other email , anyway i
sent u all u need Cya" "Hey i have just got it , plz tell me if u
need more. bye" "Heyyyyyyyy Lola Wussaaap?? I forgot to tell u ,
the other file is with Sam:) bye" "YO DUMP , IM SICK OF UR EMAILS
, IF U LOSE IT AGAIN I WONT GIVE IT TO U, SAVE BYEEE" "Hey
wussap?i lost Sara's Email plzz send this file to her :) and tell her i
can't be online tonight bye" "heyyy I can't be online tonight :(
anyway , i sent u something u r gonna love :) cya tomorrow"

(Continued to next message)
---
 * OLX 1.53 * Thesaurus: ancient reptile with an excellent vocabulary.
                                                                           
                    
 * PDQWK 2.52 #5


--- GTMail 1.26