My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Mimail.C@mm

MEDIUM
LOW
12832 bytes (packed with UPX)
(W32/Mimail-C (Sophos))

Symptoms

Presence of next files in Windows folder (%WINDIR%, e.g. C:\Windows):
netwatch.exe
eml.tmp
exe.tmp
zip.tmp

"Eml.tmp" is a local database of mails collected by the worm from infected computer.
"Exe.tmp" is a exact copy of "netwatch.exe" and "zip.tmp" is a zip file containing "photos.jpg.exe" which is in fact "netwatch.exe".
The .tmp files enumerated here have hidden file attribute, thus they are not visible by default using Windows Explorer.

Presence of "netwatch.exe" in the process list (visible in Task Manager -> Processes under Win200/XP)

Presence of registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NetWatch32 set to %WINDIR%\netwatch.exe

Removal instructions:

Manual removal:
  • open Task Manaker pressing [CTRL]+[ALT]+[DEL] or [CTRL]+[SHIFT]+[ESCAPE] for Win2000/XP
  • use "End Process" on "netwatch.exe"
  • delete all files enumarated at the beginning of this description from Windows directory
  • open Registry Editor using +, regedit,
  • remove this key: "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NetWatch32"

    Automatic removal: let BitDefender disinfect infected files
  • Analyzed By

    Mircea Ciubotariu BitDefender Virus Researcher

    Technical Description:

    The worm spreads itself via email, attatched as "photos.zip" and is found in mails with subject "Re[2]: our private photos" and body as follows:

    Finally i've found possibility to right u, my lovely girl :)
    All our photos which i've made at the beach (even when u're without ur bh:))
    photos are great! This evening i'll come and we'll make the best SEX :)

    Right now enjoy the photos.
    Kiss, James.

    Even if it is a brand new malware, the first thing it does when run is to import and call "RegisterServiceProcess" from KERNEL32.DLL, a function available only for Win9x in order to hide its process from Task Manager.

    After that the worm copies itself in %WINDIR% directory and starts collecting mail addressing scanning recursively filtering files under "Program Files" folder and HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folder registry list of folders for strings with form "xxx@xxx.xxx" - mail addresses - where xxx is almost any non-null string. Because of the way this function was written it seems it was included in source as assembler code.
    The files are filtered by their extension and .com, .wav, .cab, .pdf and other binary files are excluded from search.

    Some hard coded mail address are included in executable body as follows:
    omnibbb@gmx.net
    omnibcd@gmx.net
    drbz@maill5.com
    kxva@maill5.com

    It was written in C++ and compiled using LCC-Win32.