W32/Mimail-Q is a worm which spreads via email using addresses harvested from the hard drive of the infected computer. All email addresses found on the computer are saved in a file named outlook.cfg in the Windows folder.
The email can arrive with random properties which are built up from extensive lists contained within W32/Mimail-Q.
W32/Mimail-Q creates fake a Microsoft web page in the root folder named MSHOME.HTA in order to steal personal information. This page is displayed when W32/Mimail-Q is executed and prompts the user to enter credit card and other personal information.
Several files are dropped into C:\ and can be deleted:
logo.jpg
logobig.gif
mshome.hta
wind.gif.
In order to run automatically when windows starts up the worm copies itself to the file sys32.exe in the Windows folder and sets the registry entry
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\System
pointing to this file.
The worm also drops the file outlook.exe into the Windows folder.
W32/Mimail-Q displays a fake error message
ERROR: Bad CRC32
when run.