Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
WORM_MIMAIL.F [Trend], Win32.Mimail.G [Computer Associates], Mimail.G [F-Secure], W32/Mimail-F [Sophos], I-Worm.Mimail.g, W32.Mimail.E@mm
10.912 Bytes (.zip), 10,784 By
Sent by email.
The worm uses its own SMTP engine for email spreading. The email contains:
Subject: don't be late!
Body: Will meet tonight as we agreed, because on Wednesday I don't think I'll make it, so don't be late. And yes, by the way here is the file you asked for. It's all written there. See you.
readnow.zip contains the file readnow.doc.scr.
When activated, Worm/Mimail.G2 copies itself as %WinDIR%\sysload32.exe and makes the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SystemLoad32" = "%WinDIR%\sysload32.exe"
The worm collects email addresses from files, excluding the following types:
com wav cab pdf rar zip tif psd ocx vxd mp3 mpg avi dll exe gif jpg bmp. These addresses are saved in the file %WinDIR%\eml.tmp.
It checks for a valid Internet connection and tries to load www.google.com.
Then it runs a Denial of Service (DoS) on the following sites:
It also creates two files in %WinDIR%:
Zip.tmp: a temporary copy of readnow.zip (10,912 bytes).
Exe.tmp: a temporary copy of readnow.doc.scr (10,784 bytes).
Description inserted by Crony Walker on Tuesday, June 15, 2004