Name: I-WORM.MiMail.C
AKA:
Type: Internet Worm
Size: 12958 byte (photos.zip), 12832 byte (photos.jpg.exe)
Platform: Win 95/98/ME/NT/2000/XP
Description:
MiMail.C is a new MiMail variant.
This worm spread itself through emails, by retrieving email addresses from the infected pc.
The worm sends email messages with the following sender:
james@<SERVER NAME>
where <SERVER NAME> changes from provider to provider.
Messages could have these subjects:
Re[2]: our private photos
Followed by some spaces and some random characters, like in the example below:
Re[2]: our private photos kiikafea
With this message body:
Hello Dear!,
Finally i've found possibility to right u, my lovely girl :)
All our photos which i've made at the beach (even when u're without ur bh:))
photos are great! This evening i'll come and we'll make the best SEX :)
Right now enjoy the photos.
Kiss, James.
kiikafea
You can see some random charatcters at the end of the body, they will be the same as ones in the subject.
The worm attach the following .ZIP infected file:
photos.zip
photos.zip contains photos.jpg.exe, that is clearly NOT an image but an executable file.
Once executed, photos.jpg.exe creates on Windows System Folder a file named netwatch.exe
and then edits some registry keys to execute it at every computer startup.
It also creates:
1) Zip.tmp di 12958 byte (copy of photos.zip)
2) Exe.tmp di 12832 byte (copy of photos.jpg.exe)
Name: I-WORM.MiMail.E
AKA:
Type: Internet Worm
Size: 10912 byte (readnow.zip), 10784 byte (readnow.doc.scr)
Platform: Win 95/98/ME/NT/2000/XP
Description: