Win32:Mimail-E

is another UPX packed worm that spreads via e-mail. It is very similar to the previous Mimail-C worm, please note that other minor variants exist.

The infected messages have the following characteristics:
Subject line: Re[2]: don't be late! [random letters]
Text:
Will meet tonight as we agreed, because on Wednesday I don't think I'll make it,

so don't be late. And yes, by the way here is the file you asked for.
It's all written there. See you.

[random letters]

Attached file: readnow.zip

Readnow.zip is an ZIP archive which contains an executable file named readnow.doc.scr. So the user must unpack it first before he is able to run the virus.

The worm sends itself to all addresess found at the hard drive of the infected computer. It stores all e-mails found in a file called eml.tmp in the Windows folder. In order to run automatically when Windows starts up te worm stores itself to the file cnfrm.exe in the Windows folder and adds the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Cnfrm32

This worm uses the false e-mail address in the From field of the sent emails - it uses the address john@[recipient_domain] this time.

The worm tries to perform a DoS (Denial of Service) attack on the following sites:
spews.org
www.spews.org
spamhaus.org
www.spamhaus.org
spamcop.net
www.spamcop.net
fethard.biz
www.fethard.biz
fethard-finance.com
www.fethard-finance.com

This version of MiMail worm does not have the steal information capability of the previous MiMail-C worm.

Removal:
To remove this virus please use our free avast! Virus Cleaner.

avast! with VPS file dated on or after 1st November 2003 is able to detect this worm.