MiMail.C is a mass mailing worm that arrives as a zipped attachment in an email. The zip file has an html file attached. The virus arrives as an email similar to:
From: admin@
Subject: Re[2]: our private photos
Message:
Hello Dear!,
Finally i've found possibility to right u, my lovely girl :) All our photos which i've made at the beach (even when u're without ur bh:)) photos are great! This evening i'll come and we'll make the best SEX :)
Right now enjoy the photos.
Kiss, James.
Attachment: photos.zip
How Does MiMail.C Worm Infect My System?
Once unzipped, the file photos.htm creates an exe file named foo.exe in the Temporary Internet Files directory and runs it. The expoit is patched by the April 2003 Cumulative Patch.
The following files are then created in the Windows directory
* netwatch.exe
* exe.tmp (temporary copy of message.html)
* zip.tmp (temporary copy of message.zip)
It also adds the following registry key to the system.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run
"NetWatch32" = C:\Windows\netwatch.exe
What Does the MiMail.C Worm Do?
Once a computer is infected, the virus checks to see if the system is connected to the Internet by trying to contact google.com. If it can contact google, then the worm attempts to gather email addresses from the infected computer. It grabs addresses from all files on the system, EXCEPT files that have the following extensions:
* COM
* WAV
* CAB
* RAR
* ZIP
* TIF
* PSD
* OCX
* VXD
* MP3
* MPG
* AVI
* DLL
* EXE
* GIF
* JPG
* BMP
These addresses are then stored in a file named eml.tmp in the Windows directory. The worm has its own SMTP engine. For each email address the worms sends, it will
* Look up the MX record for the domain name using the DNS server of the current host. If a DNS server is not found, it will default to 212.5.86.163
* Acquire the mail server associated with that particular domain.
* Directly contact the destination server.
How Can I Remove the MiMail.C worm?
Follow these steps in removing the MiMail.C worm.
1) Terminate the running program
* Open the Windows Task Manager by either pressing CTRL+ALT+DEL on Win9x machines or CTL+Shift+Tab and clicking on the Processes tab on WinNT/2000/XP machines.
* Locate the following program, click on it and End Task or End Process
NETWATCH.EXE
* Close Task Manager
2) Remove the Registry entries
* Click on Start, Run, Regedit
* In the left panel go to
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run
* In the right panel, right-click and delete the following entry
"NetWatch32"="%Windows%\netwatch.exe"
* Close the Registry Editor
3) Delete the infected files (for Windows ME and XP remember to turn off System Restore before searching for and deleting these files to remove infected backed up files as well)
* Click Start, point to Find or Search, and then click Files or Folders.
* Make sure that "Look in" is set to (C:\WINDOWS).
* In the "Named" or "Search for..." box, type, or copy and paste, the file names:
netwatch.exe
eml.tmp
zip.tmp
exe.tmp
* Click Find Now or Search Now.
* Delete the displayed files.
4) Reboot the computer and run a thorough virus scan
using your favorite antivirus program.
5) Apply the patch for the April 2003 Cumulative Update to avoid viruses like this in the future.
For Automatic Removal of MiMail.C, download
the Symantec removal tool
