high
Summary
Summary
Action- More Information
| Protection available since | 21 November 2003 18:54:40 (GMT) |
|---|---|
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please follow the instructions for removing W32/Mimail-K.
More Information
W32/Mimail-K is a worm which spreads via email using addresses harvested from the hard drive of the infected computer. All email addresses found on the computer are saved in a file named eml.tmp in the Windows folder.
In order to run itself automatically when Windows starts up the worm copies itself to the file sysload32.exe in the Windows folder and adds the following registry
entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemLoad32
The emails sent by the worm may have the following characteristics:
Subject line : don't be late!<30 spaces><random characters>
Message text : Will meet tonight as we agreed, because on Wednesday I don't think i'll make it, so don't be late. And yes, by the way here is the file you asked for. It's all written there. See you.
<random characters>
Attached file : readnow.zip
W32/Mimail-K spoofs the From field of the sent emails using the email address john@<your domain>
Readnow.zip is a compressed file which contains an executable file named readnow.doc.scr. The worm also creates a copy of itself named exe.tmp and a copy of readnow.zip named zip.tmp, both in the Windows folder.
While searching for email addresses in files on the local hard drive W32/Mimail-K attempts to exclude files that have the following extensions from the search:
avi
bmp
cab
com
dll
exe
gif
jpg
mp3
mpg
ocx
pdf
psd
rar
tif
vxd
wav
zip
W32/Mimail-K also attempts denial of service attacks targeting:
darkprofits.cc
www.darkprofits.cc
darkprofits.ws
www.darkprofits.ws
|
