Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
I-Worm.Mimail.f [Kaspersky], W32/Mimail.f@MM [McAfee], WORM_MIMAIL.G [Trend], Win32.Mimail.E [Computer Associates], W32/Mimail-E [Sophos], Mimail.F [F-Secure], W32.Mimail.D@mm
10.912 Bytes (.zip), 10,784 By
Sent by email.
The worm uses its own SMTP engine for email spreading. The email contains:
Subject: don't be late!
Body: Hello Dear!, Will meet tonight as we agreed, because on Wednesday I don't think I'll make it, so don't be late. And yes, by the way here is the file you asked for. It's all written there. See you.
When activated, Worm/Mimail.F copies itself as %WinDIR%\cnfrm.exe and makes the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"Cnfrm32" = "%WinDIR%\cnfrm.exe"
It collects email addresses from files, excluding the following types: com wav cab pdf rar zip tif psd ocx vxd mp3 mpg avi dll exe gif jpg bmp. These addresses are saved in the file %WinDIR%\eml.tmp.
Then, it checks for a valid Internet connection and tries to load www.google.com.
It runs a Denial of Service (DoS) on the following sites:
It also creates the following files in %WinDIR%:
Zip.tmp: a temporary copy of readnow.zip (10,912 bytes).
Exe.tmp: a temporary copy of cnfrm.exe (10,784 bytes).
Description inserted by Crony Walker on Tuesday, June 15, 2004