W32/Mimail-K

Type
Win32 worm

W32/Mimail-K is a worm which spreads via email using addresses harvested from the hard drive of the infected computer. All email addresses found on the computer are saved in a file named eml.tmp in the Windows folder.
In order to run itself automatically when Windows starts up the worm copies itself to the file sysload32.exe in the Windows folder and adds the following registry
entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemLoad32

The emails sent by the worm have the following characteristics:

Subject line : don't be late!<30 spaces><random characters>
Message text : Will meet tonight as we agreed, because on Wednesday I don't think i'll make it, so don't be late. And yes, by the way here is the file you asked for. It's all written there. See you.

<random characters>
Attached file : readnow.zip

W32/Mimail-K spoofs the From field of the sent emails using the email address john@<your domain>

Readnow.zip is a compressed file which contains an executable file named readnow.doc.scr. The worm also creates a copy of itself named exe.tmp and a copy of readnow.zip named zip.tmp, both in the Windows folder.

While searching for email addresses in files on the local hard drive W32/Mimail-K attempts to exclude files that have the following extensions from the search:

More: http://www.sophos.com/virusinfo/analyses/w32mimailk.html