What is the MiMail.T Worm?

Mimail.T is a mass mailing worm. It attempts to mail itself to the email addresses found on the system. The message body and subject lines can vary.

How Does MiMail.T Worm Infect My System?

When it is executed, Mimail.T performs the following actions:

1. Copies itself to:
   • %Windir%\Kaspersky.exe
   • %Windir%\Ee98af.tmp
     
2. Registers itself as a service process.
   
3. Adds the value:
   
   "KasperskyAv" = " %Windir%\kaspersky.exe"
   
   to registry key:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   
   so that the worm runs when you start Windows.
   
4. Attempts to resolve the IP address for www.google.com to determine whether there is Internet connectivity.
   
5. Collects email addresses from all the files on the computer, except those that have these extensions:
   • jpg
   • gif
   • exe
   • dll
   • avi
   • mpg
   • mp3
   • vxd
   • ocx
   • psd
   • tif
   • zip
   • rar
   • pdf
   • cab
   • wav
   • com
     
6. Sends email messages using its own SMTP engine. For each email address the worm gathers, it acquires a mail server associated with that email address from the system DNS or DNS server at IP 212.5.86.163. Then, its SMTP engine directly contacts the destination mail server.
   
   The subject lines, attachment names, and message bodies vary:
   
   The first part of the attachment name consists of one of the following words:
   
   my
   priv
   private
   prv
   the
   best
   super
   great
   cool
   wild
   sex
   fXck
   
   followed by an one or two underscores or a dash, and then one of the following words:
   
   pic
   img
   phot
   photos
   pctrs
   images
   imgs
   scene
   plp
   act
   action
   
   and one of the following extensions:
   
   .pif
   .scr
   .exe
   .jpg.scr
   .jpg.pif
   .jpg.exe
   .gif.exe
   .gif.pif
   .gif.scr
   
7. Performs a Denial of Service (DoS) that has the following characteristics:
   1. Randomly selects a site from the names below:
      • darkprofits.net
      • darkprofits.cc
      • darkprofits.com
      • spew.org
        
   2. Randomly chooses to perform a TCP connection on port 80 or to perform an ICMP attack. The packets that are sent to the victim carry a 2 KB payload filled with random data.
   3. Uses a random ICMP type when performing the ICMP attack.
   4. Sends data using either the GET request or some random data when performing the HTTP connection.
      

How to Remove the MiMail.T worm?

Kaspersky Internet Security Can Prevent You From Virus and Intrusion. If Kaspersky detects MiMail.T during the scan, it will AUTOMATICALLY offer you the option of deleting it. Do this by following the program's instructions.

Follow these steps in removing the MiMail.T worm.

1. Terminating the Running Program

1. Open Windows Task Manager.
   On Windows 95/98/ME systems, press
   CTRL+ALT+DELETE
   On Windows NT/2000/XP systems, press
   CTRL+SHIFT+ESC, and click the Processes tab.
2. In the list of running programs, locate the process:
   kaspersky.exe
3. Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
4. To check if the malware process has been terminated, close Task Manager, and then open it again.
5. Close Task Manager.

2. Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

1. Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
2. In the left panel, double-click the following:
   HKEY_LOCAL_MACHINE>Software>Microsoft>
   Windows>CurrentVersion>Run
3. In the right panel, locate and delete the entry:
   KasperskyAv = "%Windows%\kaspersky.exe"
   Note: %Windows% is the default Windows folder, usually C:\Windows or C:\WinNT.

3. Removing Other Malware Registry Modifications

1. Still in the registry in the left panel, double-click the following:
   HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>
   CurrentVersion>explorer
2. In the right panel, locate and delete the entry or entries:
   Explorer3
   OR
   Explorer2
3. Close Registry Editor.

4. Deleting Malware Files

1. Right-click Start then click Search. or Find. depending on your version of Windows.
2. In the Named input box, type: Kaspersky.exe
   Outlook.cfg
   Ee98af.tmp
   crc32.cfg
   C:\TMPEG2.TXT
   C:\TMPGLD.TXT
3. In the Look In drop-down list, select the drive which contains Windows, then press Enter.
4. Once located, select the file then hit Delete.

5. Updating the Virus Definitions

If you do not know which anti-virus software can provide strong protection for you, Kaspersky Internet Security is recommended.

6. Run a full system scan and delete all the files detected as MiMail.T.

1. Start your Kaspersky Internet Security and make sure that it is configured to scan all the files.
2. Run a full system scan.
3. If any files are detected as infected with MiMail.T, click Delete.

How to Disinfect My Computer from Worms?

In order to keep your computer protected, bear the following tips in mind:

1. If you have filtering tools installed, configure them to reject messages with the characteristics described above. If, in spite of doing this, you receive the message that contains the virus: do not open it, do not run the attached file and delete it, making sure that you also delete it from the Deleted Items folder.
2. Install a good antivirus in your computer. Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
3. Keep your antivirus updated. If automatic updates are available, configure your antivirus to use them.
4. Keep your permanent antivirus protection enabled at all times.

Do you think this website is useful? Help us to keep the site growing.

Detect and Removal Instruction for Other Worms - 'M':