FRISK Software International


Summary of W32/Mimail.C@mm
Discovered: 31 Oct 2003
Definition files: 31 Oct 2003
Risk Level: Low
Distribution:Low
Infection Method:Mass mailing
 
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description

This is a resident mass mailing worm that is upx packed and arrives in a ZIP-archive
that contains a file named photos.jpg.exe (some Windows users may see this file only as photos.jpg).

The worm sends itself to those email addresses that it find on the infected computer.

The subject of these e-mails is "Re[2]: our private photos".



Technical Description

This is a resident mass mailing worm that is upx packed and arrives in a ZIP-archive
that contains a file named photos.jpg.exe (some Windows users may see this file only as photos.jpg).
The worm sends itself to those email addresses that it find on the infected computer.
The subject of these e-mails is "Re[2]: our private photos".


It copies itself into the windows folder under the name netwatch.exe and adds the value below to the registry.

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "NetWatch32"="C:\\WINDOWS\\netwatch.exe"


It also puts itself in the windows directory in zipped form and unzipped form under the names zip.tmp and exe.tmp.

The worm checks if the user is connected to the internet by sending a DNS query to www.google.com.
The email addresses Mimail.C@mm uses to send itself to are harvested from every file but it excludes the files that has the extensions below.

    .com
    .wav
    .cab
    .pdf
    .zip
    .tif
    .psd
    .ocx
    .vxd
    .mp3
    .dll
    .exe
    .gih
    .jpg
    .bmp

Mimail.C@mm keeps all found emails in a file called eml.tmp in the windows directory. Then it sends a forged email to those addresses.
The email will look like the text below.

    From: james@<random host>
    Subject: Re[2]: our private photos <random text>


    Hello Dear!,

    Finally i've found possibility to right u, my lovely girl :)
    All our photos which i've made at the beach (even when u're without ur bh:))
    photos are great! This evening i'll come and we'll make the best SEX :)

    Right now enjoy the photos.
    Kiss, James.
    <random text>




Removal Instructions


If you run the OnDemand Scanner regularly it can be used to disinfect but some viruses, such as Mimail.C@mm, cannot be disinfected in Windows. This is caused by the fact that the virus infects files that Windows uses while running. Thus F-Prot Antivirus cannot access the files to disinfect and it is necessary to disinfect using the DOS scanner (for Windows 95/98/ME) or the Command-line scanner (for Windows NT/2000/XP).

Please note that both the DOS scanner and the Command-line scanner are included in F-Prot Antivirus for Windows

DOS Scanner:


For Windows 95/98/ME:

To boot into DOS press START \ SHUT DOWN \ RESTART IN MS-DOS MODE.

Windows ME users need to use a Windows startup disk.

In DOS mode at the command prompt type:

cd \        [ENTER]
cd progra~1        [ENTER]
cd fsi        [ENTER]
cd f-prot        [ENTER]
f-prot.exe        [ENTER]

We are assuming here that F-Prot Antivirus was installed in the default location. Set the scanner to "Automatic disinfection".



Command-line Scanner:


For Windows 2000/XP:

Click on START \ SHUT DOWN \ RESTART. As the computer is booting up press the F8 key and from the menu select:

"Safe mode with Command prompt"

At the command prompt type:

cd \       [ENTER]

cd "program files"       [ENTER]

cd fsi        [ENTER]

cd f-prot       [ENTER]

fpcmd c: /disinf /auto /list        [ENTER]

NB! Please note that the scanning must be done for each drive individually.

When the scanning is done and the system is clean, then restart the computer.



For Windows NT 4.0:

Restart the computer in SVGA mode (Safe Mode)

1. Click "Start" / "Run" / type "cmd"         [ENTER]

2. Command prompt window appears.

3. Press "Ctrl-Alt-Del" once and click on "Processes".

4. In "Processes" find "Explorer.exe" and select "End process". The Desktop will disappear and only the background/wallpaper and the command prompt window will be visible.

5. In the command prompt window type the following:



cd \       [ENTER]

cd "program files"       [ENTER]

cd fsi        [ENTER]

cd f-prot       [ENTER]

fpcmd c: /disinf /auto /list       [ENTER]

NB! Please note that the scanning must be done for each drive individually.

When the scanning is done and the system is clean, then restart the computer.



After F-Prot has completed scanning and removed the worm, reboot the computer and go into windows.

Remove this registry key from the registry.


    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "NetWatch32"="C:\\WINDOWS\\netwatch.exe"

FRISK Software International - Ragnar Gisli
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is