Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:W32/Mimail.q@MM, WORM_MIMAIL.Q
Type:Worm 
Size:32.758 Bytes, 50.720 Bytes 
Origin:unknown 
Date:01-26-2004 
Damage:Spreads itself by email, backdoor routine 
VDF Version:6.23.00.45 
Danger:Low 
Distribution:Medium 

General DescriptionThe Worm/Mimail.q is a worm which searches the local workstation for email addresses and helped by its own STMP engine can mail itself. It creates a polimorph SYS32.EXE and a static OUTLOOK.EXE in the Windows directory. The worm shows a false Microsoft Dialog Box, where the user is asked to enter personal data.

Symptoms* increased email traffic

Distribution* sends itself by email

Technical DetailsWhen the worm is active, it shows a dialog box, with the message: "ERROR: Bad CRC32". In this time, it creates the following files:
* \%WinDIR%\Sys32.exe
* \%WinDIR%\Outlook.exe

It registers itself as a service process and makes the following registry entry:
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"System"="C:\\WINDOWS\\sys32.exe"

* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Explorer]
Explorer = 1
Explorer2 = 1
Explorer3 = 1
Explorer4 = 1
Explorer5 = 1

The worm shows a false info "Windows Expiration Notification" where you are requested your name, address, phone- and credit card number.

For producing this window, Worm/Mimail.q creates the following data:
* C:\Logo.jpg
* C:\Logobig.gif
* C:\Mshome.hta
* C:\Wind.gif

Afterwards the worm searches the Cookie directory for data which has saved information about e-gold.com acounts and writes these on both temporary files TMPGLD.TXT and TMPEG2.TXT. These files will be sent to unknown email addresses.

Also, if TCP ports 80, 1434 or 1433 are open it saves these data in a temporary file named SERV.TXT and sends them to an unknown address.

Using port 3000 the potential attacker has the possibility of remote control over the infected computer.

The worm searches in files with the following extensions for email addresses to send itself to:
* .wav
* .mp3
* .mpg
* .avi
* .cab
* .pdf
* .rar
* .zip
* .psd
* .dll
* .exe
* .com
* .ocx
* .vxd
* .gif
* .tif
* .jpg
* .bmp

The email addresses found are saved in Outlook.cfg in Windows directory. The worm sends its polimorph SYS32.EXE with the help of its own SMTP engine to all addresses found. The subject, body and attachment can have different content. So, the attachment can be formed of the following word parts:
* my
* priv
* private
* prv
* the
* best
* super
* great
* cool
* wild
* sex

After an underline or dash it uses as a second word one of the following:
* pic
* img
* phot
* photos
* pctrs
* images
* imgs
* scene
* plp
* act
* action

The extension can be .exe, .scr, .pif, .jpg or .gif. Worm/Mimail can use a double extension, for example ".jpg.exe" or ".gif.scr".

An email sent by Worm/Mimail.q can look like this:

Subject:
very cool picture only for you

Body:
Good evening my dearest %Name%,
I wondered
My brother had best sex I ever seen last night togather with the boss of Dr. Abuse %-)
I switched on my samsung camera and make excellent images!
Please don't show pictures to your bro, okay?

Attachment:
private_pic.jpg.exe

Manual Remove Instructions- for Windows 2000/XP:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear.

Delete the following files:
* %WinDIR%\sys32.exe
* %WinDIR%\outlook.exe

Start "regedit" after that and delete the following registry entries:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"System"="C:\\WINDOWS\\sys32.exe"

Restart your computer.

- for Windows 9x/Me:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear.

Delete the following files:

* %WinDIR%\sys32.exe
* %WinDIR%\outlook.exe

Start "regedit" after that and delete the following registry entries:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"System"="C:\\WINDOWS\\sys32.exe"

Restart your computer.
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .