Home>Tips
& Articles>Remove
Worms & Virus>
Remove Worm.Mimail.C
About Mimail.C
Mimail.C is a worm which spreads via email and infects systems with
a zipped attachment in an email.
Remove this worm virus using McAfee Virus Scan 2004!
The emails sent by the worm seems like this:
From: admin@<your domain>
Subject:Re[2]: our private photos
Message:
Hello Dear!,
Finally i've found possibility to right u, my lovely girl :) All our
photos which i've made at the beach (even when u're without ur bh:))
photos are great! This evening i'll come and we'll make the best SEX
:)
Right now enjoy the photos.
Kiss, James.
Attached file:photos.zip
Once unzipped, the file photos.htm creates an exe file named foo.exe
in the Temporary Internet Files directory and runs it. The expoit is
patched by the April
2003 Cumulative Patch.
The following files are then created in the Windows directory
netwatch.exe
exe.tmp (temporary copy of message.html)
zip.tmp (temporary copy of message.zip)
It also adds the following registry key to the system.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run
"NetWatch32" = C:\Windows\netwatch.exe
The worm looks for email addresses in files on the local drive. It
attempts to exclude the following extensions from its search:
AVI, BMP, CAB, COM, DLL, EXE, GIF, JPG, MP3, MPG, OCX, PDF, PSD,RAR,
TIF, VXD, WAV,ZIP
The worm can launch a denial of service attack against the websites
www.darkprofits.com and www.darkprofits.net.
How to Remove Mimail.C?
Follow these steps to remove the MiMail.C worm.
1) Turn off System Restore functions for Windows Me,Windows
XP and Windows 2003 system.
2) End the running program or reboot your system to enter into Safe
mode.
Open the Windows Task Manager by either pressing CTRL+ALT+DEL on Win9x
machines or CTL+Shift+Tab and clicking on the Processes tab on WinNT/2000/XP
machines.
Locate the program named NETWATCH.EXE , click on it
and End Task or End Process
3) Remove the Registry entries
Click on Start|Run|Regedit
In the left panel go to
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run
In the right panel, right-click and delete the following entry
"NetWatch32"="%Windows%\netwatch.exe"
Close the Registry Editor
4) Delete the infected files
Open your Windows folder ( such as c:\Windows, C:WINNT ), find the following
files and delete them:
netwatch.exe, eml.tmp, zip.tmp, exe.tmp
5) Reboot the computer and run a thorough virus scan using your favorite
antivirus program.Then apply the patches for April
2003 Cumulative Update
Remove other worms & virus:
