1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar






This type of worm is embedded in an e-mail attachment, and spreads using the infected computer's e-mailing networks.

Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.

Technical Details

Email-Worm:W32/Mimail.D is a worm that propagates in infected e-mail attachments.The worm file is a PE executable 24608 bytes long. It is not compressed.

The worm can also exploit a vulnerability to drop and execute a file. Apart from this, Mimail.D does not have a payload.Mimail.D was found on 1 November, 2003.


The worm's file installs itself as VIDEODRV.EXE file into Windows directory and creates a startup key for its file in the Registry:

  • [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "VideoDriver" = "%windir%\videodrv.exe"

where %windir% is a Windows directory name.


The worm spreads itself in the following message:

Subject:  your account 
Body:  Hello there,  
I would like to inform you about important information regarding your  
email address. This email address will be expiring.  
Please read attachment for details. 
Best regards, Administrator   
Attachment: message.zip  

The attachment contains message.html which, when opened inƒ€š vulnerable versions of Internet Explorer (IE), will drop an executable named epo.exe and run it. For more information on the IE MHTML vulnerability used here please see http://www.microsoft.com/technet/security/bulletin/MS03-014.asp

Submit a sample

Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.