A new variant of Mimail appeared on December 3, 2003. Taking its cue from Mimail.c, Mimial.m masquerades as nude photos supposedly enclosed in the attached ZIP file. Instead, users who extract the ZIP file will receive an executable that, if opened, will begin its mass-mailing anew and launch a Denial of Service (DoS) attack against several darkprofits websites. Ironically, darkprofits is best known for sending fraudulent emails claiming erroneous charges have been made on users' credit cards. To 'opt-out' of the charges, users are instructed to provide their credit card details via one of the darkprofits sites. Doing so, of course, provides the Bangkok, Thailand site owners with a fresh supply of credit card numbers which can then be stolen and/or used for identity theft.
Mimial.m does not send itself using the infected system's mail client. Instead, it uses its own SMTP engine to query the domain of the target address and uses that SMTP server to send itself. Thus, copies of the Mimail.m email will not appear in the Sent Items folder of the mail client and may bypass proxy-dependent email protection.
The Mimail.m email appears as follows:
- Subject: RE:Greg
Hi Greg its Wendy.
I was shocked, when I found out that it wasn't you but your twin brother, that's amazing, you're as like as two peas. No one in bed is better than you Greg. I remember,I remember everything very well, that promised you to tell how it was, I'll give you a call today after 9.
...[omitted due to nature of content]...
I'm so thankful to you, for acquainted me to your brother. I think we can do it on the next Saturday all three together? What do you think? O yes, as you wanted I've made a few pictures check them out in archive, I hope they will excite you, and you will dream of our new meeting...
Seeded copies of the Mimail.m email may also include the following:
- For unzip archiver download WinZip: http://download.winzip.com/winzip81.exe
Password for archive is "kiss".
The attachment accompanying the email will be named either wendy.zip or only_for_greg.zip. If wendy.zip, the file will be password protected and the email will include the password details described above. The extracted file will be wendy.exe. In the case of only_for_greg.zip, the file will not be password protected, the additional password instructions will not be contained in the email, and the extracted file will be named for_greg.jpg.exe.
By default, Windows does not display the real extension, thus users might be tricked into believing the enclosed executable is a harmless JPG image file. Ensure file extension viewing is enabled to prevent being fooled by this ruse.
Removal instructions
Antivirus software updated after December 3, 2003 is capable of detecting and removing the Mimail.m worm. To manually remove the worm, edit the system Registry and remove:
- 'NetMon = C:\Windows\netmon.exe'
from the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Delete the following files dropped or created by the Mimail.m worm:
- C:\Windows\msi2.tmp
C:\Windows\xjwu2.tmp
C:\Windows\netmon.exe
C:\Windows\nji2.tmp
Note that C:\Windows is used to signify the Windows directory and may differ on individual systems.
