Alias:-Worm.Mimail.e [Kaspersky], W32/Mimail-E [Sophos], WORM_MIMAIL.E [Trend], Win32.Mimail.E [Computer Associates], W32/Mimail.e@mm [McAfee], Mimail.E [F-Secure]
Type:Worm 
Size:10.912 bytes (.zip), 10,784 by 
Origin: 
Date:00-00-0000 
Damage:Sent by email. 
VDF Version:6.23.00.00 
Danger:Medium 
Distribution:High 

DistributionThe worm spreads by email, using its own SMTP engine. The email contains:

From: %A href="mailto:john@john@%current" target="domain"%

Subject: don't be late!

Body: Hello Dear!, Will meet tonight as we agreed, because on Wednesday I don't think I'll make it, so don't be late. And yes, by the way here is the file you asked for. It's all written there. See you.

Attachment: readnow.zip

Technical DetailsWorm/Mimail.A copies itself as %WinDIR%\cnfrm.exe.
It makes the registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"Cnfrm32" = "%WinDIR%\cnfrm.exe"

It collects email addresses from all files, except from those of type: com wav cab pdf rar zip tif psd ocx vxd mp3 mpg avi dll exe gif jpg bmp

The worm writes all these addresses in the file %WinDIR%\eml.tmp.
It checks for a valid Internet connection and tries to launch www.google.com.

It also creates the following two files in %WinDIR%:
Zip.tmp: A temporary copy of readnow.zip (10,912 bytes).
Exe.tmp: A temporary copy of cnfrm.exe (10,784 bytes).
Die Beschreibung wurde erstellt von Crony Walker am Dienstag, 15. Juni 2004

zurück . . . .