high
Summary
Summary
Action- More Information
| Included in our products from | December 2003 (3.76) |
|---|---|
| Protection available since | 3 November 2003 02:14:35 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please read the instructions for removing W32/Mimail-F.
More Information
W32/Mimail-F is a worm which spreads via email using addresses harvested from the hard drive of the infected computer. All email addresses found on the computer are saved in a file named eml.tmp in the Windows folder.
The emails sent by the worm have the following characteristics:
Subject line : don't be late!<30 spaces><random characters>
Message text :
Will meet tonight as we agreed, because on Wednesday I don't think I'll make it,
so don't be late. And yes, by the way here is the file you asked for.
It's all written there. See you.
<random characters>
Attached file : readnow.zip
W32/Mimail-F spoofs the From field of the sent emails using the email address
john@<your domain>
Readnow.zip is a compressed file which contains an executable file named readnow.doc.scr. The worm also creates a copy of itself named exe.tmp and a copy of readnow.zip named zip.tmp, both in the Windows folder.
While searching for email addresses in files on the local hard drive W32/Mimail-F attempts to exclude files that have the following extensions from the search:
- avi
- bmp
- cab
- com
- dll
- exe
- gif
- jpg
- mp3
- mpg
- ocx
- psd
- rar
- tif
- vxd
- wav
- zip
W32/Mimail-F also attempts to launch a denial of service attack against the websites mysupersales.com and www.mysupersales.com. W32/Mimail-F is a worm which spreads via email using addresses harvested from the hard drive of the infected computer. All email addresses found on the computer are saved in a file named eml.tmp in the Windows folder.
In order to run itself automatically when Windows starts up the worm copies itself to the file sysload32.exe in the Windows folder and adds the following registry entry :
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemLoad32
The emails sent by the worm have the following characteristics:
Subject line : don't be late!<30 spaces><random characters>
Message text :
Will meet tonight as we agreed, because on Wednesday I don't think I'll make it,
so don't be late. And yes, by the way here is the file you asked for.
It's all written there. See you.
<random characters>
Attached file : readnow.zip
W32/Mimail-F spoofs the From field of the sent emails using the email address
john@<your domain>
Readnow.zip is a compressed file which contains an executable file named readnow.doc.scr. The worm also creates a copy of itself named exe.tmp and a copy of readnow.zip named zip.tmp, both in the Windows folder.
While searching for email addresses in files on the local hard drive W32/Mimail-F attempts to exclude files that have the following extensions from the search:
- avi
- bmp
- cab
- com
- dll
- exe
- gif
- jpg
- mp3
- mpg
- ocx
- psd
- rar
- tif
- vxd
- wav
- zip
W32/Mimail-F also attempts to launch a denial of service attack against the websites mysupersales.com and www.mysupersales.com.
|
