Win32:Mimail-C

is an UPX packed worm that spreads via e-mail. It is very similar to the Win32:MiMail-A from August.

The infected messages have the following characteristics:
Subject line: Re[2]: our private photos [random letters]
Text:
Hello Dear!

Finaly i've found possibility to right u, my lovely girl :)
All our photos which i've made at the beach (even when u're without ur bh:))
photos are great! This evening i'll come and we'll make the best SEX :)

Right now enjoy the photos.

Kiss, James.

Attached file: photos.zip

Photos.zip is an ZIP archive which contains an executable file named photos.jpg.exe. So the user must unpack it first before he is able to run the virus.

The worm sends itself to all addresess found at the hard drive of the infected computer. It stores all e-mails found in a file called eml.tmp in the Windows folder. In order to run automatically when Windows starts up te worm stores itself to the file netwatch.exe in the Windows folder and adds the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NetWatch32

This worm uses the false e-mail address in the From field of the sent emails - it uses the address james@[recipient_domain].

The worm tries to perform a DoS (Denial of Service) attack on the following sites:
darkprofits.com
darkprofits.net
www.darkprofits.com
www.darkprofits.net

The worm steals the information from a specific Windows application and tries to send it to the several e-mail addresses which are stored in an encrypted form in the worm's body.

Removal:
To remove this virus please use our free avast! Virus Cleaner.

avast! with VPS file dated on or after 31st October 2003 is able to detect this worm.