Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:I-Worm.Mimail.f [Kaspersky], W32/Mimail.f@MM [McAfee], WORM_MIMAIL.G [Trend], Win32.Mimail.E [Computer Associates], W32/Mimail-E [Sophos], Mimail.F [F-Secure], W32.Mimail.D@mm
Type:Worm 
Size:10.912 Bytes (.zip), 10,784 By 
Origin: 
Date:00-00-0000 
Damage:Sent by email. 
VDF Version:6.23.00.00 
Danger:Medium 
Distribution:High 

DistributionThe worm uses its own SMTP engine for email spreading. The email contains:

Subject: don't be late!

Body: Hello Dear!, Will meet tonight as we agreed, because on Wednesday I don't think I'll make it, so don't be late. And yes, by the way here is the file you asked for. It's all written there. See you.

Attachment: readnow.zip

Technical DetailsWhen activated, Worm/Mimail.F copies itself as %WinDIR%\cnfrm.exe and makes the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"Cnfrm32" = "%WinDIR%\cnfrm.exe"

It collects email addresses from files, excluding the following types: com wav cab pdf rar zip tif psd ocx vxd mp3 mpg avi dll exe gif jpg bmp. These addresses are saved in the file %WinDIR%\eml.tmp.

Then, it checks for a valid Internet connection and tries to load www.google.com.
It runs a Denial of Service (DoS) on the following sites:
fethard.biz
fethard-finance.com

It also creates the following files in %WinDIR%:
Zip.tmp: a temporary copy of readnow.zip (10,912 bytes).
Exe.tmp: a temporary copy of cnfrm.exe (10,784 bytes).
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .