Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Mimail.C

Win32/Mimail.C is a worm spreading in the form of a file in the attachment of an e-mail. It works in Windows 95 or newer versions of Windows operating system. Its body has a length of 12832 bytes, and it is compressed by UPX utility. After it is decompressed its length is 450 Kb.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The subdirectory System or System32 placed in %windir% has a name %system%.

The worm arrives with the message having subject starting with the text Re[2]: our private photos, and continuing with combination of randomly chosen characters. In the body of the message there is a text as follows.

Hello Dear!,
Finally i've found possibility to right u, my lovely girl :)
All our photos which i've made at the beach (even when u're without ur bh:))
photos are great! This evening i'll come and we'll make the best SEX :)

Right now enjoy the photos.
Kiss, James.

The attachment of the message is a file called photos.zip. The file photos.zip contains file photos.jpg.exe.

After it is run the worm Win32/Mimail.C creates in the directory %windir% its copy named netwatch.exe. It also creates here files exe.tmp having length of 12832 bytes and zip.tmp having length of 12958 bytes. It assures its activation after restarting the operating system by creating an item NetWatch32 in the key of the system registry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. It sets its value to %windir%\netwatch.exe.

The worm acquires the addresses for its spreading scanning the files on the disk while avoiding the files having following extensions.

com
bmp
jpg
gif
exe
dll
avi
mpg
mp3
vxd
ocx
psd
tif
zip
rar
pdf
cab
wav
com

The Win32/Mimail.C saves the found addresses into the file %windir%/eml.tmp, and then sends its copies to those addresses.

NOD32 detects the worm Mimail.C using extended heuristics without upgrading. The detection of Mimail.C using sample is added from the version 1.548.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.