How it works
MiMail.c arrives as e-mail from someone named James. The subject line reads: "Re[2]: our private photos." And the attached filename is photos.zip.

Should the attached file be opened, MiMail.c will attempt to install itself. It first copies itself to the Windows directory as Netwatch.exe, then updates the system Registry to call upon that file. MiMail.c searches files on the infected hard drive for any e-mail address, then attempts to send copies of itself to each of those addresses.

The worm also carries a denial-of-service attack payload. MiMail tests Internet connectivity by attempting to contact the Google Web site. Once an Internet connection is confirmed, the worm then uploads information via port 80 and ICMP, so far, mostly gibberish, to a predetermined list of e-mail addreses in what could be a denial-of?service attack on addresses with the name "darkprofits" within the URL.

What to look for
MiMail will create the following files in the Windows subdirectory of an infected PC:

Netwatch.exe
Exe.tmp
Eml.tmp

It also creates the following Registry file:

Hkey_local_machine\Software\Microsoft\Windows\CurrentVersion\ Run "NetWatch32" = C:\WINNT\Netwatch.exe

Removal
Most antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure, McAfee, Sophos, Symantec, and Trend Micro.