Alias:W32.Mimail.C@mm, W32/Mimail.c@mm, WORM_MIMAIL.C, W32/Mimail-
Type:Worm 
Size:12,832 bytes 
Origin:unknown 
Date:10-31-2003 
Damage:sends itslef by email 
VDF Version:6.22.00.23 
Danger:Low 
Distribution:High 

General DescriptionThe Worm/Mimail.C is a worm that steals data from the user's computer. For email spreading, it uses its own SMTP engine.

SymptomsSystem instability.

DistributionEmail spreading, using its own SMTP engine

Technical DetailsWhen activated, it creates the following files in Windows:
* netwatch.exe
* zip.tmp
* exe.tmp

It creates the following registry entry, so that it will be automatically run at the next system start:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run]
"NetWatch32" = C:\<%Windir%>\netwatch.exe"

The worm gets text from certain windows and sends the data to predetermined email addresses.

It gathers email addresses from all files except the ones with extension:
* exe
* jpg
* wav
* com
* mp3
* tif
* psd
* avi
* mpg
* cab
* pdf
* rar
* zip
* dll
* gif
* ocx
* vxd
* bmp

The collected addresses are stored in the file C:\<%Windir%>\eml.tmp. The worm spreads by sending itself to these addresses using its own SMTP engine. It finds the domain for every email and sends itself with it.So, it seems to the recipient that the message comes from the same domain!

The email has the following characteristics:

From: james@<current domain>

Subject: Re[2]: our private photos
Body:
Hello Dear!,

Finally i've found possibility to right u, my lovely girl :)
All our photos which i've made at the beach (even when u're without ur bh:))
photos are great! This evening i'll come and we'll make the best SEX :)
Right now enjoy the photos.

Kiss, James.

Attachment: photos.zip

The file photos.zip contains the worm under the name photos.jpg.exe.

Manual Remove Instructions- for Windows 2000/XP:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear.

Delete the following files:
* C:\<%WinDIR%>\netwatch.exe
* C:\<%WinDIR%>\zip.tmp
* C:\<%WinDIR%>\exe.tmp

Start "regedit" after that and delete the following registry entries:

*[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run]
"NetWatch32" = C:\<%Windir%>\netwatch.exe"

Restart your computer.

- for Windows 9x/Me:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear.

Delete the following files:

* C:\<%WinDIR%>\netwatch.exe
* C:\<%WinDIR%>\zip.tmp
* C:\<%WinDIR%>\exe.tmp

Start "regedit" after that and delete the following registry entries:

* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run]
"NetWatch32" = C:\<%Windir%>\netwatch.exe"

Restart your computer.
Description insérée par Crony Walker le mardi 15 juin 2004

Retour . . . .