You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Mimail.C

 
Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

Mimail.C has the following effects:

  • Once it is run, it goes memory resident.
  • It launches DoS (Denial of Service) attacks against web servers.

Infection strategy 

Mimail.C creates the following files in the Windows directory:

  • EXE.TMP and NETWATCH.EXE. These files are copies of the worm.
  • ZIP.TMP. This file is a copy of the worm, and it is compressed with Winzip.
  • EML.TMP. This file contains the e-mail addresses that Mimail.C will send itself out to.

Mimail.C creates the following entry in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    "NetWatch32" = %windir%\netwatch.exe
    where %windir% is the Windows directory.
    By creating this entry, Mimail.C ensures that it is run whenever Windows is started.

Means of transmission 

Mimail.C spreads via e-mail. It follows the routine below:

  • It reaches the computer in a message that has the following characteristics:

    Sender:
    james@%domain%
    where %domain% is the mail domain of the addressee.

    Subject:
    Re[2]: our private photos %text%
    where %text% is a text that consist in 8 random characters.

    Message:
    Hello Dear!,
    Finally i've found possibility to right u, my lovely girl :)
    All our photos which i've made at the beach (even when u're without ur bh:))
    photos are great! This evening i'll come and we'll make the best SEX :)
    Right now enjoy the photos.
    Kiss, James.
    %text%

    Attachments:
    PHOTOS.ZIP
  • The attachment is a file compressed with Winzip. It has a double extension, and it is called PHOTOS.JPG.EXE. Once it is run, the computer is affected.
  • It searches for e-mail addresses in all the files of the computer, which do not have any of the following extensions: AVI, BMP, CAB, COM, DLL, EXE, GIF, JPG, MP3, MPG, OCX, PDF, PSD, RAR, TIF, VXD, WAV and ZIP. It stores the collected addresses in the file EML.TMP.
  • It sends itself out to all the collected addresses, using its own SMTP engine. It connects to the IP address 212.5.86.163, which belongs to a Russian server.

Further Details  

Mimail.C is written in the programming language C with the compiler LCC Win32. The worm is 12,832 bytes in size when it is compressed with UPX, and 28,140 bytes in size once it is decompressed.

Unlike other Mimail variants, Mimail.C does not exploit the vulnerabilities Codebase and MHTML.

The e-mail messages sent have the following header:

X-Mailer: The Bat! (v 1.62)
X-Priority: 1 (High)