W32/Mimail-D

Please follow the instructions for removing worms.

Please read the instructions for removing W32/Mimail-D.

W32/Mimail-D is a worm which spreads via email using addresses harvested from the hard drive of the infected computer. All email addresses found on the computer are saved in a file named eml.tmp in the Windows folder. In order to run itself automatically when Windows starts up the worm copies itself to the file videodrv.exe in the Windows folder and adds the following registry entry :

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\VideoDriver

The emails sent by the worm have the following characteristics:

Subject line : your account

Message text : Hello there, I would like to inform you about important information regarding your email address. This email address will be expiring. Please read attachment for details. Best regards, Administrator

Attached file : message.zip

W32/Mimail-D spoofs the From field of the sent emails using the email address admin@<your domain>.

Message.zip is a compressed file containing an HTML file named message.html which contains a copy of the worm executable. The worm also creates a copy of the HTML file with the filename exe.tmp and a copy of message.zip named zip.tmp, both in the Windows folder. The HTML file will be detected by Sophos Anti-Virus as Troj/Sefex-A.

While searching for email addresses in files on the local hard drive W32/Mimail-D attempts to exclude files that have the following extensions from the search:

avi bmp cab com dll exe gif jpg mp3 mpg ocx pdf psd rar tif vxd wav zip