[email protected]

Aliases: ORM_MIMAIL.V, W32/Mimail-V, JS.Mimail.V
Variants: WORM_MIMAIL.V, W32/Mimail-V, JS.Mimail.V

Classification: Malware
Category: Computer Worm

Status: Dormant
Spreading: Fast
Geographical info: Europe, North and South America, and some parts of Asia and Australia
Removal: Easy
Platform: W32
Discovered: 20 Apr 2004
Damage: Medium

Characteristics: [email protected] is a member of the family of mass-mailing worm that affects Windows 2000, Windows NT, Windows Server 2003 and Windows XP Operating System platforms. The email which it uses to transmit and spread the worm has a “.zip” attachment while the subject line varies. The email message has the following description: “Subject: A randomly selected combination of the following items: Re: Re[2]: your important very important request file document bill payment options payment details account details info information successfully changed corrected modified.” This is usually the format of the email used in spreading the worm.

More details about [email protected]

It is known that it drops or adds a text file named “xxxx.txt” in the folder in which the worm is opened. It may also kill processes and services which include several security programs. As such, it registers itself as a service and cannot be detected as bonified virus or worm. Furthermore, it also generates a random mutex based on the Operating System, so that only one instance of the worm is running. It will make a randomly named “.html” or “.folder” file in the system folder and let the infection routine circulate. Another known characteristic is it may try to connect to various Internet Relay Chat servers to wait for additional commands from an attacker.

The [email protected] application may have the capability to flood a port with a string of code to give remote users full access into the infected machine. The malware may potentially give remote users file management functions allowing them to modify user settings, create and delete files, modify default values, and initiate Denial of Service (DoS) attacks on the infected machine. According to security experts, this malware program was specifically created for use in the Windows Operating System. It was believed that this malware can infect machine running under Windows 95, 98, ME, NT, 2000, Server 2003, and XP.