Threat description




This type of worm is embedded in an e-mail attachment, and spreads using the infected computer's e-mailing networks.


Manual disinfection of an Mimail.I infected computer consists of the following steps:

1. Remove the registry value
  • [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SvcHost32]

2. Restart the computer

3. Delete '%WinDir%\svchost32.exe' (where %WinDir% is the Windows Directory, typically c:\windows\ or c:\winnt)

Technical Details

Email-Worm:W32/Mimail.I is a worm that propagates in infected e-mail attachments. Mimail.I also has a payload: it uses a fake web that appears to be a legitimate enquiry from Paypal, in order to steal credit card information.

F-Secure has received reports of e-mails containing the Mimail.I worm that use the attachment name: 'paypal.asp.scr'. As the worm is coded to send e-mails with the attachment name '', it is likely that these new messages were hand-crafted.

Mimail.I was found on November 14th, 2003.


Mimail.I arrives in email that looks as follows:

If the user runs the attachment, Mimail.I copies itself to the Windows Directory as:

  • svchost32.exe

This copy is added to the registry as:

  • [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SvcHost32]

The worm also drops a fake web form to:

  • c:\pp.hta
  • c:\pp.gif

Mimail.I uses its own SMTP engine it sends e-mails with the malicious attachment.

The worm collects email addresses from files on the infected computer. It recursively searches through the user's document folders and looks into all the files whose extension is not on the following list

  • "bmp"
  • "jpg"
  • "gif"
  • "exe"
  • "dll"
  • "avi"
  • "mpg"
  • "mp3"
  • "vxd"
  • "ocx"
  • "psd"
  • "tif"
  • "zip"
  • "rar"
  • "pdf"
  • "cab"
  • "wav"
  • "com"

To find the SMTP server of the target e-mail address, the worm does an MX lookup using a predefined public DNS server.

The e-mails used by Mimail.I to distribute its infected attachment has the following characteristics:

  • From: ""
  • Attachment:
  • Body text:
 Dear PayPal member,  PayPal would like to inform you about some important information   regarding your PayPal account. This account, which is associated   with this email address recipient@somewhere  will be expiring within five business   days. We apologize for any inconvenience that this may cause,   but this is occurring because all of our customers are required   to update their account settings with their personal information.  We are taking these actions because we are implementing a new   security policy on our website to insure everyone's absolute   privacy. To avoid any interruption in PayPal services then you   will need to run the application that we have sent with this   email (see attachment) and follow the instructions. Please do   not send your personal information through email, as it will not   be as secure.  IMPORTANT! If you do not update your information with our secure   application within the next five business days then we will be   forced to deactivate your account and you will not be able to   use your PayPal account any longer. It is strongly recommended   that you take a few minutes out of your busy day and complete   this now.  DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This mail is sent by an   automated message system and the reply will not be received.  Thank you for using PayPal.   

On executing the worm, a fake web form that appears to be from Paypal is displayed. This is a Social Engineering trick used by the worm to deceive users into entering their credit card information into the form.

Once entered, the credit card information from the form is collected to a file, 'c:\ppinfo.sys' which is later mailed to certain email addresses.

Submit a Sample

Suspect a file or URL was wrongly detected?
Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info