Aliases: WORM_MIMAIL.A, W32/Mimail@MM, Win32.Mimail.A, W32/Mimail-A, I-Worm.Mimail
Variants: W32/Mimail-I, W32/Mimail.i@MM, W32/Mimail.j@MM, I-Worm.NetWatch, W32/Bics@mm

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 01 Aug 2003
Damage: Low

Characteristics: According to some antivirus developers the W32.Mimail.A@mm belongs to a malware family of data thieves which are known for using the email messaging facility of the host machine to transmit sensitive information to the remote attacker. This malware has been observed to exploit certain vulnerabilities found in the operating system. It is capable of capturing data from active windows activated by the computer user as well as retrieving critical system information from the host machine.

More details about W32.Mimail.A@mm

Execution of the W32.Mimail.A@mm into a vulnerable computer system will cause the extraction of its trigger executable file into the directory of the operating system. It will create a corresponding new key value in the Windows Registry which will point to its exact location in the hard drive. The W32.Mimail.A@mm will use the Run command in relation to this new key value to allow it to load automatically on every boot up instance of the host machine. It will proceed by harvesting email addresses from virtually all known sources that can be found in the file system. All of the retrieved email addresses will be stored by the W32.Mimail.A@mm to a temporary file in the same location at its main executable file.

It will attempt to capture the textual contents of windows and include it in the email message that will be sent out to various recipients. The W32.Mimail.A@mm makes use of its built-in Simple Mail Transfer Protocol engine to send its email messages. The file attachment would normally be a compressed file in ZIP format. This attachment has one file that is used by the W32.Mimail.A@mm to generate a code base exploit. It will create an executable file in the folder for temporary internet files. The W32.Mimail.A@mm will create two additional temporary files which are copies of its ZIP format attachment.