You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Mimail

 
Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

Mimail does not have destructive effects. Its only aim is to spread to other computers.

Infection strategy 

Mimail creates the following files in the Windows directory:

  • VIDEODRV.EXE. This file contains the code of the worm.
  • ZIP.TMP. This file is a copy of the attachment, compressed in ZIP format.
  • EXE.TMP. This file is a copy of the HTML file embedded in the attachment.
  • EML.TMP. This file contains the e-mail addresses that the worm has obtained.

Mimail creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    VideoDriver = %windir%\videodrv.exe
    By creating this entry, Mimail ensures that it is run whenever Windows is started.
  • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Code Store Database\ Distribution Units\ {11111111-1111-1111-111111111111}
    This entry allows the worm to carry out its actions.

Mimail follows the routine below:

  • The process begins when the user decompresses the attachment and runs the HTML file.
  • The worm takes advantage of the following Internet Explorer vulnerabilitiesInternet zone and MHTML. These vulnerabilities allow to run code in the local zone of the affected computer.
  • By doing this, the worm creates a file, which it will run in order to carry out its actions, in the Internet temporal directories.

Means of transmission 

Mimail spreads via e-mail in a message with the following characteristics:

  • Sender:
    admin@%domain%
    %domain% is the domain of the user’s e-mail address.
  • Subject:
    Your account  xxxxxxx
    xxxxxxx is a group of random lower-case letters.
  • Message:
    Hello there,
    I would like to inform you about important information regarding your email address. This email address will be expiring.
    Please read attachment for details.
    ---
    Best regards, Administrator
    xxxxxxxx
  • Attachments:
    MESSAGE.ZIP
  • In addition, the message includes the high priority flag.

Mimail searches for e-mail addresses, in order to send out a copy of itself using its own SMTP engine:

  • It searches for files in the Program files directory and the folders in the following Windows Registry entry:
    HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Shell Folders
    Directories such as My Documents and the Windows Desktop belong to this registry entry.
  • It looks for e-mail addresses in all the files that are stored in these directories, which do not have one of the following extensions: COM, WAV, CAB, PDF, RAR, ZIP, TIF, PSD, OCX, VXD, MP3, MPG, AVI, DLL, EXE, GIF, JPG and BMP.