The attachment is a compressed file named readnow.zip, which contains the file readnow.doc.scr. Default settings in Windows will cause this filename to appear as readnow.doc. To ensure you are not victimized by this double extension ruse, be sure to enable file extension viewing. Opening the file will cause the system to become infected and, in turn, to spread the infection to others.
Mimail.E also launches a Denial of Service (DoS) attack, sending large amounts of garbage data to the anti-spammer sites spews.org, spamhaus.org, spamcop.net, www.spews.org, www.spamhaus.org, and www.spamcop.net. However, the worm first tries to access www.google.com to ensure the Internet connection is active. This action also results in additional unwanted traffic to that site.
"These Mimail worms attempt to push anti-spam resources off the internet. This is an attack on everyone who uses internet email for legitimate purposes," said Chris Belthoff, sr. security analyst at Sophos, Inc. "One question that is being asked - are the people who fill everyone's email inboxes with spam also behind this virus? It's hard to know for certain but it's clear that this worm is doing nothing to help reduce the problem of unsolicited email."
The email composed by the Mimail.E appears as follows:
- Subject: don't be late! (several blank spaces followed by random letters)
Will meet tonight as we agreed, because on Wednesday I don't think I'll make it,
so don't be late. And yes, by the way here is the file you asked for.
It's all written there. See you.
(followed by the same random characters found in the email subject)
Symptoms of infection
Mimail.E creates four files in the Windows directory:
- EML.TMP - contains email addresses harvested from infected machine
- EXE.TMP - copy of Mimail.E worm
- CNFRM.EXE - installed copy of Mimail.E worm
- ZIP.TMP - ZIP archive of Mimail.E
Mimail.E edits the following key in the system Registry to load CNFRM.EXE on system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
is edited to add:
"Cnfrm32" = C:\%windir%\CNFRM.EXE
Mimail.E then mass-mails itelf to others, using any email addresses found on the infected system. Mimail.E searches the entire hard drive for email addresses, excluding the following file types: AVI, BMP, CAB, COM, DLL, EXE, GIF, JPG, MP3, MPG, OCX, PDF, PSD, RAR, TIF, VXD, WAV, ZIP.
Mimail.E contains its own SMTP engine, thus sent copies of the Mimail email will not appear in the Sent folder of the email client.
To manually remove Mimail.C from an infected system, remove the Cnfrm32 Registry edit made by the worm and delete the dropped files. Antivirus software updated after Mimail.E's discovery should also be able to detect and remove the worm.
