McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Mimail.c (AVP)

• I-Worm.WatchNet (AVP)

• W32.Mimail.C@mm (Symantec)

• W32/Bics@MM

• W32/Mimail-C (Sophos)

• WORM_MIMAIL.C (Trend)

Characteristics

-- Update November 05, 2003 --
The risk-assessment of this threat was lowered to Low-Profiled after a significant reduction in prevalence over the past several days.

-- Update October 31, 2003 07:20 PST --
This worm was mass-spammed, which appears to have been the initial "seeding".  An attachment named undelivered.hta (proactively detected as Downloader-BO.dr with the 4250+ DAT files) creates the file c:\mware.exe .  This executable is the W32/Mimail.c@MM worm.  When the .hta file is run, the following message is displayed:

Your message will be sent again in 1 hour. If it doesn't arrive - we will delete it from queue.

--
Due to the increased number of samples being submitted to AVERT, the risk assessment of this threat was raised to medium.
--

This mass-mailing worm spreads as a .ZIP file, contains a denial of service attack, and information stealing payload.

It bears similarities to a previous worm, W32/Mimail@MM . However, this variant does not use the codebase (MS02-015 ) and MHTML (MS03-014 ) exploits that the previous variants did.

A summary of the virus characteristics are as follows:

• contains it own SMTP engine for constructing messages
• mails itself as a ZIP attachment
• harvests email addresses from the local machine
• sends large volume of data (garbage) to a remote server - DoS payload (see below)
• captures information and emails it to four addresses

Scanning of compressed files should always be enabled for optimal detection.

Mail Propagation
Target email addresses are harvested from files on the victim's machine.  The worm ignores address extraction from files that contain the following extensions:

• avi
• bmp
• cab
• com
• dll
• exe
• gif
• jpg
• mp3
• mpg
• ocx
• pdf
• psd
• rar
• tif
• vxd
• wav
• zip

Addresses are written to the file EML.TMP in %WinDir% (such as c:\windows). Testing shows the worm is overly lax in identifying valid email addresses - as a result messages are likely to be sent to invalid recipients.

Outgoing messages are sent using the worm's own SMTP engine. They are formatted as follows:

Subject : Re[2]: our private photos (plus additional spaces then random characters)
Attachment : PHOTOS.ZIP (12,958 bytes) which contains PHOTOS.JPG.EXE (12,832 bytes)
Message Body :
Hello Dear!,
Finally, i've found possibility to right u, my lovely girl :)
All our photos which i've made at the beach (even when u're withou ur bh:))
photos are great! This evening i'll come and we'll make the best SEX :)

Right now enjoy the photos.
Kiss, James.
(random characters - the same as those terminating the subject)

Messages are constructed with the following X-headers:

X-Mailer: The Bat! (v1.62)
X-Priority: 1 (High)

The 'From' address of outgoing messages may be spoofed as follows:

• james@(target domain.com)
  • Such as
    • james@abc.com
    • james@xyz.com
    • etc

As with previous variants, the mailing routing queries the mail server for the domain related to the target (harvested) address. Messages are then sent through that SMTP server. The worm contains a hardcoded IP address (212.5.86.163).

Denial of Service
The worm sends a large amount of data to remote servers (port 80 and ICMP). The worm verifies that a connection is active by contacting www.google.com.  If successful, an attack is initiated on the following domains:

• darkprofits.net
• darkprofits.com
• www.darkprofits.net
• www.darkprofits.com

Information stealing payload
The following email address are encrypted within the virus body and are  used to send captured information to.  Analysis of the exact information gathered is ongoing.

• omnibbb@gmx.net
• drbz@mail15.com
• omnibcd@gmx.net
• kxva@mail15.com

Symptoms

• Presence of the files EXE.TMP and ZIP.TMP
• Desktop firewall application alerting that NETWATCH.EXE is trying to access the Internet.
• Large volumes of data being sent to port 80 of a remote server

Method of Infection

When run on the victim machine, the worm installs itself into %WinDir% as NETWATCH.EXE. For example:

C:\WINNT\NETWATCH.EXE (12,832 bytes)

Three other files are also dropped into %WinDir%:

• %WinDir%\EML.TMP - contains a list of the email addresses harvested from the victim machine
• %WinDir%\EXE.TMP - copy of the worm
• %WinDir%\ZIP.TMP - a ZIP archive containing the worm

System startup is hooked via the following Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "NetWatch32" = C:\WINNT\NETWATCH.EXE

This worm is written in MSVC. The samples received by AVERT have been UPX packed.

Removal

All Users :
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Stand Alone Remover
Stinger has been updated to include detection/removal of this threat.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

1. - Win9x/ME - Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
   - WinNT/2K/XP - Terminate the process  NETWATCH.EXE
2. Delete the following files from your WINDOWS directory (typically c:\windows or c:\winnt)
   • NETWATCH.EXE
   • EXE.TMP
   • EML.TMP 
3. Edit the registry
   • Delete the "NetWatch32" value from
     • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
       Windows\CurrentVersion\Run

Sniffer Customers: Filters have been developed that will look for Mimail.c traffic [Sniffer Distributed 4.1/4.2/4.3, Sniffer Portable 4.7/4.7.5, and Netasyst].

• W32_Mimail.c@MM Sniffer Filters.zip

ThreatScan users:
The latest ThreatScan signature (2003-10-31) includes detection of the Mimail.c virus. This signature is available for ThreatScan v2.0, v2.1, and v2.5.

To update your ThreatScan installations with the latest signatures perform the following tasks:
- From within ePO open the "Policies" tab.
- Select "McAfee ThreatScan" and then select "Scan Options"
- In the pane below click the "Launch AutoUpdater" button.
- Using the default settings proceed through the dialogs that appear. Upon successful completion of the update a message will appear stating that; update 2003-10-31 has completed successfully.

-  From within ePO create a new "AutoUpdate on Agent(s)" task.
- Go into the settings for this task and ensure that the host field is set to ftp.nai.com <ftp://ftp.nai.com , the path is set to /pub/security/tsc20/updates/winnt/ and that the user and password fields are both set to ftp.  Note that "tsc20" in the above path is used for ThreatScan 2.0 and 2.1.  The correct path for ThreatScan 2.5 is "tsc25".
- Launch this task against all agent machines.
- When the task(s) complete information will be available in the "Task Status Details" report.

To create and execute a new task containing the new update
functionality, do the following:
- Create a new ThreatScan task.
- Edit the settings of this task.
- Edit the "Task option", "Host IP Range" to include all desired machines to scan.

To scan for the virus:
- Select the "Remote Infection Detection" category and "Windows Virus Checks" template. 
-or-
- Select the "Other" category and "Scan All Vulnerabilities" template.
- Launch the scan.

For additional information:
- Run the "ThreatScan Template Report"
- Look for module number #4056

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Mimail.c (AVP)

• I-Worm.WatchNet (AVP)

• W32.Mimail.C@mm (Symantec)

• W32/Bics@MM

• W32/Mimail-C (Sophos)

• WORM_MIMAIL.C (Trend)

Characteristics

Characteristics -

-- Update November 05, 2003 --
The risk-assessment of this threat was lowered to Low-Profiled after a significant reduction in prevalence over the past several days.

-- Update October 31, 2003 07:20 PST --
This worm was mass-spammed, which appears to have been the initial "seeding".  An attachment named undelivered.hta (proactively detected as Downloader-BO.dr with the 4250+ DAT files) creates the file c:\mware.exe .  This executable is the W32/Mimail.c@MM worm.  When the .hta file is run, the following message is displayed:

Your message will be sent again in 1 hour. If it doesn't arrive - we will delete it from queue.

--
Due to the increased number of samples being submitted to AVERT, the risk assessment of this threat was raised to medium.
--

This mass-mailing worm spreads as a .ZIP file, contains a denial of service attack, and information stealing payload.

It bears similarities to a previous worm, W32/Mimail@MM . However, this variant does not use the codebase (MS02-015 ) and MHTML (MS03-014 ) exploits that the previous variants did.

A summary of the virus characteristics are as follows:

• contains it own SMTP engine for constructing messages
• mails itself as a ZIP attachment
• harvests email addresses from the local machine
• sends large volume of data (garbage) to a remote server - DoS payload (see below)
• captures information and emails it to four addresses

Scanning of compressed files should always be enabled for optimal detection.

Mail Propagation
Target email addresses are harvested from files on the victim's machine.  The worm ignores address extraction from files that contain the following extensions:

• avi
• bmp
• cab
• com
• dll
• exe
• gif
• jpg
• mp3
• mpg
• ocx
• pdf
• psd
• rar
• tif
• vxd
• wav
• zip

Addresses are written to the file EML.TMP in %WinDir% (such as c:\windows). Testing shows the worm is overly lax in identifying valid email addresses - as a result messages are likely to be sent to invalid recipients.

Outgoing messages are sent using the worm's own SMTP engine. They are formatted as follows:

Subject : Re[2]: our private photos (plus additional spaces then random characters)
Attachment : PHOTOS.ZIP (12,958 bytes) which contains PHOTOS.JPG.EXE (12,832 bytes)
Message Body :
Hello Dear!,
Finally, i've found possibility to right u, my lovely girl :)
All our photos which i've made at the beach (even when u're withou ur bh:))
photos are great! This evening i'll come and we'll make the best SEX :)

Right now enjoy the photos.
Kiss, James.
(random characters - the same as those terminating the subject)

Messages are constructed with the following X-headers:

X-Mailer: The Bat! (v1.62)
X-Priority: 1 (High)

The 'From' address of outgoing messages may be spoofed as follows:

• james@(target domain.com)
  • Such as
    • james@abc.com
    • james@xyz.com
    • etc

As with previous variants, the mailing routing queries the mail server for the domain related to the target (harvested) address. Messages are then sent through that SMTP server. The worm contains a hardcoded IP address (212.5.86.163).

Denial of Service
The worm sends a large amount of data to remote servers (port 80 and ICMP). The worm verifies that a connection is active by contacting www.google.com.  If successful, an attack is initiated on the following domains:

• darkprofits.net
• darkprofits.com
• www.darkprofits.net
• www.darkprofits.com

Information stealing payload
The following email address are encrypted within the virus body and are  used to send captured information to.  Analysis of the exact information gathered is ongoing.

• omnibbb@gmx.net
• drbz@mail15.com
• omnibcd@gmx.net
• kxva@mail15.com

Symptoms

Symptoms -

• Presence of the files EXE.TMP and ZIP.TMP
• Desktop firewall application alerting that NETWATCH.EXE is trying to access the Internet.
• Large volumes of data being sent to port 80 of a remote server

Method of Infection

Method of Infection -

When run on the victim machine, the worm installs itself into %WinDir% as NETWATCH.EXE. For example:

C:\WINNT\NETWATCH.EXE (12,832 bytes)

Three other files are also dropped into %WinDir%:

• %WinDir%\EML.TMP - contains a list of the email addresses harvested from the victim machine
• %WinDir%\EXE.TMP - copy of the worm
• %WinDir%\ZIP.TMP - a ZIP archive containing the worm

System startup is hooked via the following Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "NetWatch32" = C:\WINNT\NETWATCH.EXE

This worm is written in MSVC. The samples received by AVERT have been UPX packed.

Removal -

Removal -

All Users :
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Stand Alone Remover
Stinger has been updated to include detection/removal of this threat.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

1. - Win9x/ME - Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
   - WinNT/2K/XP - Terminate the process  NETWATCH.EXE
2. Delete the following files from your WINDOWS directory (typically c:\windows or c:\winnt)
   • NETWATCH.EXE
   • EXE.TMP
   • EML.TMP 
3. Edit the registry
   • Delete the "NetWatch32" value from
     • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
       Windows\CurrentVersion\Run

Sniffer Customers: Filters have been developed that will look for Mimail.c traffic [Sniffer Distributed 4.1/4.2/4.3, Sniffer Portable 4.7/4.7.5, and Netasyst].

• W32_Mimail.c@MM Sniffer Filters.zip

ThreatScan users:
The latest ThreatScan signature (2003-10-31) includes detection of the Mimail.c virus. This signature is available for ThreatScan v2.0, v2.1, and v2.5.

To update your ThreatScan installations with the latest signatures perform the following tasks:
- From within ePO open the "Policies" tab.
- Select "McAfee ThreatScan" and then select "Scan Options"
- In the pane below click the "Launch AutoUpdater" button.
- Using the default settings proceed through the dialogs that appear. Upon successful completion of the update a message will appear stating that; update 2003-10-31 has completed successfully.

-  From within ePO create a new "AutoUpdate on Agent(s)" task.
- Go into the settings for this task and ensure that the host field is set to ftp.nai.com <ftp://ftp.nai.com , the path is set to /pub/security/tsc20/updates/winnt/ and that the user and password fields are both set to ftp.  Note that "tsc20" in the above path is used for ThreatScan 2.0 and 2.1.  The correct path for ThreatScan 2.5 is "tsc25".
- Launch this task against all agent machines.
- When the task(s) complete information will be available in the "Task Status Details" report.

To create and execute a new task containing the new update
functionality, do the following:
- Create a new ThreatScan task.
- Edit the settings of this task.
- Edit the "Task option", "Host IP Range" to include all desired machines to scan.

To scan for the virus:
- Select the "Remote Infection Detection" category and "Windows Virus Checks" template. 
-or-
- Select the "Other" category and "Scan All Vulnerabilities" template.
- Launch the scan.

For additional information:
- Run the "ThreatScan Template Report"
- Look for module number #4056

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A