Effects 

Mimail.N carries out the following actions:

• It displays several images on screen, which attempt to trick the user into giving the credit card number, personal identification number, e-mail address, etc. This forms check that the user has entered the correct information; for example, the correct number of digits in the credit card number.
  
  
  
  
  
  
• It changes the home page of the browser Internet Explorer to:
  

  http:// www.anvari.org/ db/ fun/ Word_Trade_Center/ Bush_Monkey.jpg

Infection strategy 

Mimail.N creates the following files:

• WINMGR32.EXE and EE98AF.TMP in the Windows directory. These files are copies of the worm.
• ZIPZIP.TMP in the Windows directory. This file is compressed with a ZIP format, and contains a copy of the worm.
• INDEX.HTA and INDEX2.HTA in the root directory of the C: drive. These files are the forms used to trick the user into giving confidential data.
• TMPNY3.TXT in the root directory. This text file contains the data which the user inserts in the forms mentioned above.

Mimail.N creates the following entry in the Windows Registry:

• HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
  WinMgr32 = %windir%\winmgr32.exe
  where %windir% is the Windows directory.
  By creating this entry, Mimail.N ensures that it is run whenever Windows is started.

Means of transmission 

Mimail.N spreads via e-mail. It follows the routine below:

• It reaches the computer in a message that has the following characteristics:
  
  Subject:
  GREAT NEW YEAR OFFER FROM PAYPAL.COM!
  
  Message:
  *** GREAT NEW YEAR OFFER FROM PAYPAL.COM ***
  
  Dear PayPal.com Member,
  
  We here at PayPal.com are pleased to announce that we have a special New Year offer for you!
  
  If you currently have an account with PayPal then you will be eligible to receive a terrific prize from PayPal.com for the New Year. For a limited time only PayPal is offering to add 10% of the total balance in your PayPal account to your account and all you have to do is register yourself within the next five business days with our application (see attachment)!
  
  If at this time you do not have a PayPal account of your own you can also register yourself with our secure application and get this great New Year bonus! If you fill out the secure form we have provided PayPal will create an account for you (it's free) and you will receive a confirmation e-mail that your account has been created.
  
  That's not all! If you resend this letter (with its attachment) to all of your friends you may be eligible to receive another New Year bonus because the 1000 PayPal members that send the most of these to their friends will get the bonus. If you are one of these 1000 lucky members then PayPal will add 17% of your total balance to your account!
  
  Registration is simple. Just unpack the attachment with WinZip, run the application, and follow the instructions we have provided. If you have problems opening the application then you may want to try downloading a free version of WinZip from http://www.winzip.com
  
  Do not miss your chance at this fantastic opportunity! Thousands of our current customers have already received their prizes and now it's your turn; so hurry up and take advantage of this special offer!
  
  Best of luck in the New Year,
  PayPal.com Team
  
  Attachments:
  P-APP.ZIP
• Once the attached file is decompressed and run, the computer is affected.
• Mimail.N searches for e-mail addresses in all the files of the computer that do not have any of the following extensions: AVI, BMP, CAB, COM, DLL, EXE, GIF, JPG, MP3, MPG, OCX, PDF, PSD, RAR, TIF, VXD, WAV and ZIP.
• It sends itself out to all the collected addresses.

Further Details  

Mimail.N is written in the programming language C with the compiler LCC Win32. The worm is 57,888 bytes in size.

Unlike other Mimail variants, Mimail.N does not exploit the vulnerabilities Codebase and MHTML.