Alias:I-Worm.Mimail.h [Kaspersky], W32/Mimail-H [Sophos], W32/Mimail.h@MM [McAfee], WORM_MIMAIL.H [Trend], Mimail.H [F-Secure], W32.Mimail.G@mm
Type:Worm 
Size:10.912 Bytes (.zip), 10,784 By 
Origin: 
Date:00-00-0000 
Damage:Sent by email. 
VDF Version:6.23.00.00 
Danger:Medium 
Distribution:High 

DistributionThe worm uses its own SMTP engine for email spreading. The email contains:

Subject: don't be late!

Body: Hello Dear!, Will meet tonight as we agreed, because on Wednesday I don't think I'll make it, so don't be late. And yes, by the way here is the file you asked for. It's all written there. See you.

Attachment: readnow.zip (readnow.zip contains the file readnow.doc.scr.)

Technical DetailsWhen activated, Worm/Mimail.H2 copies itself as %WinDIR%\cnfrm33.exe and makes the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Cn323" = "%WinDIR%\cnfrm33.exe"

The worm collects email addresses from all files, except from those of type:
com wav cab pdf rar zip tif psd ocx vxd mp3 mpg avi dll exe gif jpg bmp. All these addresses are saved in the file %WinDIR%\eml.tmp.

It checks for a valid Internet connection and tries to load www.google.com.
Then it runs a Denial of Service (DoS) on the following sites:
spamhaus.org
spews.org

It also creates two files in %WinDIR%:
Zip.tmp: A temporary copy of readnow.zip (10,912 bytes).
Exe.tmp: A temporary copy of cnfrm33.exe (10,784 bytes).
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .