Troj/Pinbol-A a.k.a. Mimail.U

Is it a Trojan or a worm? That's the question antivirus vendors are debating this morning and there's plenty of disagreement on all sides. Antivirus vendor Sophos believes the newly discovered malware, seeded via email last night, is simply a Trojan. According to their analysis, the only mailing the threat they've dubbed Troj/Pinbol-A does is to the presumed worm author. Conversely, Network Associates (McAfee) believes a mass-mailing routine is included and they've dubbed the threat as Mimail.U. Both agree on the following:

The malware was seeded the morning of February 13th via an email that had the following characteristics:

Subject: Your account delete

Message Body:

Your account was deleted.
Details see in file.

--
SSGroup Support
(212) 799-03-21

The attachment is randomly named and has a .SCR extension. If the attachment is executed, the malware drops a copy of itself to the Windows folder as smvc32.exe and modifies the registry so that the malware will load when Windows is restarted:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SMVC = smvc32.exe

Pinbol a.k.a. Mimail.U makes additional modifications to the HKEY_CURRENT_USER\Software registry key, adding the values socks and magic. The socks value contains the random port number for a proxy server set up on infected machines. Email addresses are harvested from various files on the infected user's system and saved to C:\cyclop.bin.

Here's where the disagreement begins.

Sophos analysis has shown that the harvested email addresses are mailed periodically to the attacker and are not used for mass-mailing (at least not by Pinbol). Network Associate's analysis concludes the the email addresses are used for mass-mailing, unless the local IP address is a private one, i.e. 172.x.x.x, 192.x.x.x, etc. Others allege that the mass-mailing routine is present but completely broken.

All agree that Pinbol a.k.a. Mimail.U sets up an IRC backdoor on infected users' systems.