high
Summary
Summary
Action- More Information
| Included in our products from | December 2003 (3.76) |
|---|---|
| Protection available since | 3 November 2003 10:23:16 (GMT) |
| Last updated | 3 November 2003 15:47:40 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please read the instructions for removing W32/Mimail-H.
More Information
W32/Mimail-H is a worm which spreads via email using addresses harvested from the hard drive of the infected computer. All email addresses found on the computer are saved in a file named eml.tmp in the Windows folder.
In order to run itself automatically when Windows starts up the worm copies itself to the file cnfrm33.exe in the Windows folder and adds the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Cn323
The emails sent by the worm have the following characteristics:
Subject line: don't be late!<30 spaces><random characters>
Message text:
Will meet tonight as we agreed, because on Wednesday I don't think i'll make it, so don't be late. And yes, by the way here is the file you asked for. It's all written there. See you.
<random characters>
Attached file: readnow.zip
W32/Mimail-H spoofs the From field of the sent emails using the email address john@<your domain>
Readnow.zip is a compressed file which contains an executable file named readnow.doc.scr. The worm also creates a copy of itself named exe.tmp and a copy of readnow.zip named zip.tmp, both in the Windows folder. W32/Mimail-H will occasionally generate and send corrupted copies of readnow.zip.
While searching for email addresses in files on the local hard drive W32/Mimail-H attempts to exclude files that have the following extensions from the search:
- avi
- bmp
- cab
- com
- dll
- exe
- gif
- jpg
- mp3
- mpg
- ocx
- psd
- rar
- tif
- vxd
- wav
- zip
W32/Mimail-H also attempts denial of service attacks targeting:
spamhaus.org
www.spamhaus.org
spews.org
www.spews.org
|
