W32/Mimail-Q

Please follow the instructions for removing worms.

Delete the file outlook.cfg in the Windows folder if it exists, and the files logo.jpg, logobig.gif, mshome.hta and wind.gif in the root of the C drive.

Change any data that may have become compromised.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\System

and delete it if it exists.

Close the registry editor.

W32/Mimail-Q is a worm which spreads via email using addresses harvested from the hard drive of the infected computer. All email addresses found on the computer are saved in a file named outlook.cfg in the Windows folder.

The email can arrive with random properties which are built up from extensive lists contained within W32/Mimail-Q.

W32/Mimail-Q creates fake a Microsoft web page in the root folder named MSHOME.HTA in order to steal personal information. This page is displayed when W32/Mimail-Q is executed and prompts the user to enter credit card and other personal information.

Several files are dropped into C:\ and can be deleted:

logo.jpg
logobig.gif
mshome.hta
wind.gif.

In order to run automatically when windows starts up the worm copies itself to the file sys32.exe in the Windows folder and sets the registry entry
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\System
pointing to this file.

The worm also drops the file outlook.exe into the Windows folder.

W32/Mimail-Q displays a fake error message
ERROR: Bad CRC32
when run.