Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:WORM_MIMAIL.F [Trend], Win32.Mimail.G [Computer Associates], Mimail.G [F-Secure], W32/Mimail-F [Sophos], I-Worm.Mimail.g, W32.Mimail.E@mm
Type:Worm 
Size:10.912 Bytes (.zip), 10,784 By 
Origin: 
Date:00-00-0000 
Damage:Sent by email. 
VDF Version:6.23.00.00 
Danger:Medium 
Distribution:High 

DistributionThe worm uses its own SMTP engine for email spreading. The email contains:

Subject: don't be late!

Body: Will meet tonight as we agreed, because on Wednesday I don't think I'll make it, so don't be late. And yes, by the way here is the file you asked for. It's all written there. See you.

Attachment: readnow.zip

readnow.zip contains the file readnow.doc.scr.

Technical DetailsWhen activated, Worm/Mimail.G2 copies itself as %WinDIR%\sysload32.exe and makes the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SystemLoad32" = "%WinDIR%\sysload32.exe"

The worm collects email addresses from files, excluding the following types:
com wav cab pdf rar zip tif psd ocx vxd mp3 mpg avi dll exe gif jpg bmp. These addresses are saved in the file %WinDIR%\eml.tmp.

It checks for a valid Internet connection and tries to load www.google.com.
Then it runs a Denial of Service (DoS) on the following sites:
mysupersales.com
www.mysupersales.com

It also creates two files in %WinDIR%:
Zip.tmp: a temporary copy of readnow.zip (10,912 bytes).
Exe.tmp: a temporary copy of readnow.doc.scr (10,784 bytes).
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .