Sophos

W32/Mimail-C

Aliases
  • W32/Mimail.C@mm
  • I-Worm.NetWatch
  • W32/Bics@mm
Category
Type
What to do
Prevalence low high

Summary

 
Affected operating systems Windows
Included in our products from December 2003 (3.76)
Protection available since 31 October 2003 13:11:28 (GMT)
Detected by All Sophos products

Action

More Information

W32/Mimail-C is a worm that spreads via email using adresses harvested from the hard drive of the infected computer. All email addresses found on the computer are saved in a file eml.tmp in the Windows folder.

The emails sent by the worm have the following characteristics:
Subject line: Re[2]: our private photos <random letters>
Message text:
Hello Dear!

Finaly i've found possibility to right u, my lovely girl :)
All our photos which i've made at the beach (even when u're without ur bh:))
photos are great! This evening i'll come and we'll make the best SEX :)

Right now enjoy the photos.

Kiss, James.
Attached file: photos.zip

W32/Mimail-C spoofs the From field of the sent emails using the email address james@<your domain>.

Photos.zip is a compressed file which contains an executable file named photos.jpg.exe.

While searching for email addresses in files on the local hard drive W32/Mimail-C attempts to exclude the following extensions from the search:

  • AVI

  • BMP

  • CAB

  • COM

  • DLL

  • EXE

  • GIF

  • JPG

  • MP3

  • MPG

  • OCX

  • PDF

  • PSD

  • RAR

  • TIF

  • VXD

  • WAV

  • ZIP


W32/Mimail-C can launch a denial of service attack against the websites www.darkprofits.com and www.darkprofits.net W32/Mimail-C is a worm that spreads via email using adresses harvested from the hard drive of the infected computer. All email addresses found on the computer are saved in a file eml.tmp in the Windows folder.

In order to run automatically when Windows starts up W32/Mimail-C copies itself to the file netwatch.exe in the Windows folder and adds the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NetWatch32

The emails sent by the worm have the following characteristics:
Subject line: Re[2]: our private photos <random letters>
Message text:
Hello Dear!

Finaly i've found possibility to right u, my lovely girl :)
All our photos which i've made at the beach (even when u're without ur bh:))
photos are great! This evening i'll come and we'll make the best SEX :)

Right now enjoy the photos.

Kiss, James.
Attached file: photos.zip

W32/Mimail-C spoofs the From field of the sent emails using the email address james@<your domain>.

Photos.zip is a compressed file which contains an executable file named photos.jpg.exe.

While searching for email addresses in files on the local hard drive W32/Mimail-C attempts to exclude the following extensions from the search:

  • AVI

  • BMP

  • CAB

  • COM

  • DLL

  • EXE

  • GIF

  • JPG

  • MP3

  • MPG

  • OCX

  • PDF

  • PSD

  • RAR

  • TIF

  • VXD

  • WAV

  • ZIP


W32/Mimail-C can launch a denial of service attack against the websites www.darkprofits.com and www.darkprofits.net

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer