Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog


Malware Environment
Malware Descriptions
Who Creates Malware
History of Malware
Malware Trends
If Your Computer Is Infected

 
Malware Description Search

 

  Home / Viruses / Virus Encyclopedia / Malware Descriptions / Network Worms / Email Worms

Email-Worm.Win32.Mimail.c

Other versions: .a, .g, .i, .j, .l, .p, .q

Aliases
Email-Worm.Win32.Mimail.c (Kaspersky Lab) is also known as: I-Worm.Mimail.c (Kaspersky Lab), W32/Mimail.dam (McAfee)
Description added Oct 31 2003
Behavior Email Worm
Technical details
Mimail.c, also known as I-Worm.WatchNet is the latest version of a potent Internet worm that spreads via the Internet in the form of a file attachment named photos.jpg.zip sent via email. Mimail is a Windows application file (PE EXE file) with a size of about 12KB compressed by UPX. The uncompressed size is about 27KB.

Infected email messages include the following content:

Sender address:

james@recipient domain

Subject:

Re[2]: our private photos

Body Text:

Hello Dear!,
Finally i've found possibility to right u, my lovely girl :)
All our photos which i've made at the beach (even when u're without ur bh:))
photos are great! This evening i'll come and we'll make the best SEX :)

Right now enjoy the photos.
Kiss, James.

Attachement:

photos.jpg.zip
(actual name is "photos.jpg.exe")

The Mimail.c worm only gains control if a victim opens the file attachment.

Reproduction
Mimail writes its into the Windows directory under the name netwatch.exe and then registers itself in the auto-run key file in the system registry: 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  NetWatch32 = %windir%\netwatch.exe

Mimail also creates the following files in the Windows directory:

exe.tmp
zip.tmp - a Zip archive of the worm (the compression method is 'stored')
eml.tmp - list of email addresses detected on infected (victim) computers

To create the ZIP archive the Mimail.c worm uses its own procedure that is built into its own code.

Spreading
To mail out infected messages (of itself), Mimail.c uses its own SMTP engine. To detect email addresses to target, the worm searches for address strings in files located in the Shell Folders and Program Files directories.

Other Information
Mimail.c watches for activity from the e-gold payment system (http://www.e-gold.com) application. If this application is detected, Mimail.c records some specific data from it in the file c:\tmpe.tmp. This file is sent out to four email addresses belonging to the worm's author.

Mimail.c executes a DDoS attack against the web sitew www.darkprofits.com and www.darkprofits.net by sending to them an endless cycle of packets of random sizes.

 

Copyright © 1996 - 2010
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com