The latest e-mail worm disguises itself as a ZIP file of steamy photos from the beach. MiMail.c (w32.mimail.c@mm) is the third variant of the MiMail virus family, and so far the fastest spreading. It carries with it the potential for a denial-of-service attack and the potential for loss of personal information stored on an infected computer. It does not infect Linux, Mac, or Unix OSs. Because MiMail.c spreads via e-mail and may launch a denial-of -service attack, this worm rates a 6 on the ZDNet Virus Meter.

How it works
MiMail.c arrives as e-mail from someone named James. The subject line reads: "Re[2]: our private photos." And the attached filename is photos.zip.

Should the attached file be opened, MiMail.c will attempt to install itself. It first copies itself to the Windows directory as Netwatch.exe, then updates the system Registry to call upon that file. MiMail.c searches files on the infected hard drive for any e-mail address, then attempts to send copies of itself to each of those addresses.

The worm also carries a denial-of-service attack payload. MiMail tests Internet connectivity by attempting to contact the Google Web site. Once an Internet connection is confirmed, the worm then uploads information via port 80 and ICMP, so far, mostly gibberish, to a predetermined list of e-mail addreses in what could be a denial-of–service attack on addresses with the name "darkprofits" within the URL.

What to look for
MiMail will create the following files in the Windows subdirectory of an infected PC:

Netwatch.exe
Exe.tmp
Eml.tmp

It also creates the following Registry file:

Hkey_local_machine\Software\Microsoft\Windows\CurrentVersion\ Run "NetWatch32" = C:\WINNT\Netwatch.exe

Removal
Most antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure, McAfee, Sophos, Symantec, and Trend Micro.