high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please read the instructions for removing W32/Mimail-B.
More Information
W32/Mimail-B is a worm which spreads via email using addresses harvested from the hard drive of the infected computer. All email addresses found on the computer are saved in a file named eml.tmp in the Windows folder. In order to run itself automatically when Windows starts up the worm copies itself to the file videodrv.exe in the Windows folder and adds the following registry entry :
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\VideoDriver
The emails sent by the worm have the following characteristics:
Subject line : your account
Message text : Hello there, I would like to inform you about important information regarding your email address. This email address will be expiring. Please read attachment for details. Best regards, Administrator
Attached file : message.zip
W32/Mimail-B spoofs the From field of the sent emails using the email address admin@<your domain>
Message.zip is a compressed file containing an HTML file named message.html which contains a copy of the worm executable. The worm also creates a copy of the HTML file with the filename exe.tmp and a copy of message.zip named zip.tmp, both in the Windows folder.
The HTML file will be detected by Sophos Anti-Virus as Troj/Sefex-A.
While searching for email addresses in files on the local hard drive W32/Mimail-B attempts to exclude files that have the following extensions from the search:
avi bmp cab com dll exe gif jpg mp3 mpg ocx pdf psd rar tif vxd wav zip
|
