Description:
TrendLabs HQ received several reports of this polymorphic mass-mailing worm spreading via email.
This polymorphic, memory-resident worm drops and executes a copy of itself as NLOAD.EXE in the root directory. It employs several autostart techniques so that it runs at every system startup.
This worm uses SMTP (simple Mail Transfer Protocol) to send email to found recipients in files with the following extensions:
HTM
WAB
HTM
DBX
TBB
The format of the email it sends out is as follows:
From: newvirus@kaspersky.ru
Subject: Unknown
Message body: If you cant see message text from: , read attached file.
Attachment: Document.zip
It steals critical system and user information and sends all gathered data to a remote user.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL.U
Virus Information
Discovery Date: 02/10/2004
Origin: Unknown
Length: 40,960 bytes (polymorphic dropper)
Type: Virus
SubType: E-mail
This detection is for a new variant of W32/Mimail@MM . There are similarities between this and the W32/Dumaru@MM family.
This worm bears the following characteristics:
it is polymorphic (but of fixed file size: 40,960 bytes)
it drops a second binary, which contains the worms functionality
it mails itself in a ZIP file (DOCUMENT.ZIP)
messages are constructed using the worm's SMTP engine, and sent to email addresses harvested from the victim machine
the worm also contains a data stealing component, mailing specific data to the hacker (keylog, clipboard, MAPI passwords, IP, system information etc)
a backdoor component (already detected as BackDoor-AXJ ) is downloaded from a remote server.
The worm's functionality is contained in a file that is dropped (C:\NLOAD.EXE) when the polymorphic component is executed on the victim machine.
More: http://vil.nai.com/vil/content/v_101004.htm

Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic