BitDefender Antivirus
My BitDefender
Go

Win32.Mimail.C@mm

( W32/Mimail-C (Sophos) )
Spreading: medium
Damage: low
Size: 12832 bytes (packed with UPX)
Discovered: 2003 Oct 31

SYMPTOMS:

Presence of next files in Windows folder (%WINDIR%, e.g. C:\\Windows):
netwatch.exe
eml.tmp
exe.tmp
zip.tmp

\"Eml.tmp\" is a local database of mails collected by the worm from infected computer.
\"Exe.tmp\" is a exact copy of \"netwatch.exe\" and \"zip.tmp\" is a zip file containing \"photos.jpg.exe\" which is in fact \"netwatch.exe\".
The .tmp files enumerated here have hidden file attribute, thus they are not visible by default using Windows Explorer.

Presence of \"netwatch.exe\" in the process list (visible in Task Manager -> Processes under Win200/XP)

Presence of registry key:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\NetWatch32 set to %WINDIR%\\netwatch.exe

TECHNICAL DESCRIPTION:

The worm spreads itself via email, attatched as \"photos.zip\" and is found in mails with subject \"Re[2]: our private photos\" and body as follows:

Finally i\'ve found possibility to right u, my lovely girl :)
All our photos which i\'ve made at the beach (even when u\'re without ur bh:))
photos are great! This evening i\'ll come and we\'ll make the best SEX :)

Right now enjoy the photos.
Kiss, James.

Even if it is a brand new malware, the first thing it does when run is to import and call \"RegisterServiceProcess\" from KERNEL32.DLL, a function available only for Win9x in order to hide its process from Task Manager.

After that the worm copies itself in %WINDIR% directory and starts collecting mail addressing scanning recursively filtering files under \"Program Files\" folder and HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folder registry list of folders for strings with form \"xxx@xxx.xxx\" - mail addresses - where xxx is almost any non-null string. Because of the way this function was written it seems it was included in source as assembler code.
The files are filtered by their extension and .com, .wav, .cab, .pdf and other binary files are excluded from search.

Some hard coded mail address are included in executable body as follows:
omnibbb@gmx.net
omnibcd@gmx.net
drbz@maill5.com
kxva@maill5.com

It was written in C++ and compiled using LCC-Win32.

Removal instructions:

Manual removal:
  • open Task Manaker pressing [CTRL]+[ALT]+[DEL] or [CTRL]+[SHIFT]+[ESCAPE] for Win2000/XP
  • use \"End Process\" on \"netwatch.exe\"
  • delete all files enumarated at the beginning of this description from Windows directory
  • open Registry Editor using +, regedit,
  • remove this key: \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\NetWatch32\"

    Automatic removal: let BitDefender disinfect infected files

    • ANALYZED BY:

    Mircea Ciubotariu
    BitDefender Virus Researcher
    Quick Links » New Game Safe » Renew License » Self Service » Free Online Scanner » Press Center
    ©   2012 BITDEFENDER SiteMap | Legal Terms | Site Feedback | Contact Us | Global Sites | Privacy Policy