Security management Toolkit

Mimail.c worm: Prevention and cure

Robert Vamosi CNET News.com

Published: 03 Nov 2003 09:35 GMT

The latest email worm disguises itself as a ZIP file of steamy photos from the beach. Mimail.c w32.mimail.c@mm) is the third variant of the Mimail virus family, and so far the fastest spreading. It carries with it the potential for a denial-of-service attack and for the loss of personal information stored on an infected computer. It does not infect Linux, Mac, or Unix OSs. Because Mimail.c spreads via email and may launch a denial of service attack, this worm rates a 6/10 on the ZDNet Virus Meter.

How it works
Mimail.c arrives as email from someone named James. The subject line reads: "Re[2]: our private photos." The attached filename is photos.zip.

Should the attached file be opened, Mimail.c will attempt to install itself. It first copies itself to the Windows directory as Netwatch.exe, then updates the system Registry to call upon that file. Mimail.c searches files on the infected hard drive for any email address, then attempts to send copies of itself to each of those addresses.

The worm also carries a denial-of-service attack payload. Mimail tests Internet connectivity by attempting to contact the Google Web site. Once an Internet connection is confirmed, the worm then uploads information via port 80 and ICMP, so far, mostly gibberish, to a predetermined list of email addreses in what could be a denial-of–service attack on addresses with the name "darkprofits" within the URL.

What to look for
Mimail will create the following files in the Windows subdirectory of an infected PC:

Netwatch.exe
Exe.tmp
Eml.tmp

It also creates the following Registry file:

Hkey_local_machine\Software\Microsoft\Windows\CurrentVersion\ Run "NetWatch32" = C:\WINNT\Netwatch.exe

Removal
Most antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure, McAfee, Sophos, Symantec and Trend Micro.

Did you find this article useful?
101 out of 189 people found this useful

Post a comment

Full Talkback thread

1 comment

Netwatch.exe was a legit programme being in the Wi... Paul G. Chapman G4IJL

More In Security management

Company/Topic Alerts

Create a new alert from the list below:

Featured Talkback

It seems to me this is a burden being placed on the wrong shoulders. There is not an It system in the world that can stop an individual taking information in their heads and spewing out at the nearest undesirable third party.