Home>Tips & Articles>Remove Worms & Virus>
Remove Worm.Mimail.A
About Mimail.A
Mimail.A is a worm which spreads via email and infects systems with a zipped attachment in an email..
The emails sent by the worm seems like this:
Subject: your account [random letters]
Message:
Hello there, I would like to inform you about important information
regarding your email address. This email address will be expiring.
Please read attachment for details.
---
Best regards, Administrator
Attached file:Message.zip
Inside the message.zip compressed file, is another file called message.html. Once unziped and opened, the worm will copy itself to
C:\<Windows>\exe.tmp and C:\<Windows>\videodrv.exe
The worm exploits two known security vulnerability to infect the system. You can fixed these system holes by downloading and installing patches from Microsoft [MHTML exploit and the codebase exploit].
Mimail.A adds the following entry to the registry to run itself on system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\VideoDriver
=C:\<Windows>\videodrv.exe
The worm looks for email addresses in files on the local drive. It attempts to exclude the following extensions from its search:
AVI, BMP, CAB, COM, DLL, EXE, GIF, JPG, MP3, MPG, OCX, PDF, PSD,RAR, TIF, VXD, WAV,ZIP
It places the email addresses it finds in the file C:\<Windows>\eml.tmp
How to Remove Mimail.A?
Follow these steps to remove the MiMail.E worm.
1) Turn off System Restore functions for Windows Me,Windows XP and Windows 2003 system.
2) End the running program or reboot your system to enter into Safe mode.
Open the Windows Task Manager by either pressing CTRL+ALT+DEL on Win9x machines or CTL+Shift+Tab and clicking on the Processes tab on WinNT/2000/XP machines.
Locate the program named VIDEODRV.EXE , click on it and End Task or End Process
3) Remove the Registry entries
Click on Start|Run|Regedit
In the left panel go to
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run
In the right panel, right-click and delete the following entry
"VideoDriver"="%Windows%\videodrv.exe"
Repeat this procedure for
HKEY_LOCAL_MACHINE>Software>Microsoft>Code Store Database>Distribution Units
In the right panel, locate and delete the entry:
{11111111-1111-1111-1111-111111111111}
Close the Registry Editor
4) Delete the infected files
Open your Windows folder ( such as c:\Windows, C:WINNT ), find the following files and delete them:
eml.tmp, zip.tmp, exe.tmp
5) Reboot the computer and run a thorough virus scan using your favorite antivirus program.Then apply the patches for MHTML exploit and the codebase exploit.
Remove other worms & virus:
