Email-Worm:W32/Mimail.G

Summary

This type of worm is embedded in an e-mail attachment, and spreads using the infected computer's e-mailing networks.

Disinfection & Removal

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.

Technical Details

Email-Worm:W32/Mimail.G is a worm that propagates in infected e-mail message attachments. The worm is also capable of launching Denial of Service (DoS) attacks on certain websites.

Mimail.G closely resembles the Mimail.C variant.

Mimail.G was found on 2 November, 2003.

Installation

Mimail.G is almost identical to the Mimail.C variant, except in the following points:

1. Mimail.G worm's file is 10784 bytes long, compressed with UPX file compressor and the unpacked file's size is 22560 bytes.

2. The worm installs itself to Windows folder as SYSLOAD32.EXE file and creates a startup key in the Registry:

• [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "SystemLoad32" = "%windir\sysload32.exe"

where %windir% is a Windows directory name.

3. The worm performs a DoS attack on the following sites:

• mysupersales.com
• www.mysupersales.com

4. The worm spreads itself in the following message:

From: john@
Subject: don't be late!
Body: 
 Will meet tonight as we agreed, because on Wednesday I don't think I'll make it,
 so don't be late. And yes, by the way here is the file you asked for. 
 It's all written there. See you.
 Attachment: readnow.zip 
 

The attachment is a ZIP archive that contains the worm's executable file (READNOW.DOC.SCR).

5. Mimail.G does not have Mimail.C's spying functionality.