[email protected]

Aliases: WORM_MIMAIL.A, W32/[email protected], Win32.Mimail.A, W32/Mimail-A, I-Worm.Mimail
Variants: W32/Mimail-I, W32/[email protected], W32/[email protected], I-Worm.NetWatch, W32/[email protected]

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 01 Aug 2003
Damage: Low

Characteristics: According to some antivirus developers the [email protected] belongs to a malware family of data thieves which are known for using the email messaging facility of the host machine to transmit sensitive information to the remote attacker. This malware has been observed to exploit certain vulnerabilities found in the operating system. It is capable of capturing data from active windows activated by the computer user as well as retrieving critical system information from the host machine.

More details about [email protected]

Execution of the [email protected] into a vulnerable computer system will cause the extraction of its trigger executable file into the directory of the operating system. It will create a corresponding new key value in the Windows Registry which will point to its exact location in the hard drive. The [email protected] will use the Run command in relation to this new key value to allow it to load automatically on every boot up instance of the host machine. It will proceed by harvesting email addresses from virtually all known sources that can be found in the file system. All of the retrieved email addresses will be stored by the [email protected] to a temporary file in the same location at its main executable file.

It will attempt to capture the textual contents of windows and include it in the email message that will be sent out to various recipients. The [email protected] makes use of its built-in Simple Mail Transfer Protocol engine to send its email messages. The file attachment would normally be a compressed file in ZIP format. This attachment has one file that is used by the [email protected] to generate a code base exploit. It will create an executable file in the folder for temporary internet files. The [email protected] will create two additional temporary files which are copies of its ZIP format attachment.