Home>Tips
& Articles>Remove
Worms & Virus>
Remove Worm.Mimail.L
About Mimail.L
Mimail.L is a viriant of worm Mimail.C
which spreads via email and infects systems with a zipped attachment
in an email.
Remove this worm virus using McAfee Virus Scan 2004!
The emails sent by the worm seems like this:
From: Wendy@<your domain>
Subject:Re[2]We are going to bill your credit card:
Message:
Hi Greg its Wendy.
I was shocked, when I found out that it wasn't you but your twin brother!!!
That's amazing, you're as like as two peas. No one in bed is better
than you Greg. I remember, I remember everything very well, that promised
you to tell how it was, I'll give you a call today after 9.
<... omitted ... >
I'm so thankful to you, for acquainted me to your brother. I think
we can do it on the next Saturday all three together? What do you think?
O yes, as you wanted I've made a few pictures check them out in archive,
I hope they will excite you, and you will dream of our new meeting...
Wendy.
Attached file:wendy.zip
Once executed, it copies itself as Svchost.exe in
your Windows directory (by default, it is C:\Windows or C:\Winnt).
It also adds the following registry key to the system.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run
"France" = "%Windir%\svchost.exe"
The worm looks for email addresses in files on the local drive and
writes all the email addresses to the file Xu298da.tmp in Windows directory.
It attempts to exclude the following extensions from its search:
AVI, BMP, CAB, COM, DLL, EXE, GIF, JPG, MP3, MPG, OCX, PDF, PSD,RAR,
TIF, VXD, WAV,ZIP
The worm checks to see whether there is a valid Internet connection
by attempting to connect to www.register.com. It can launch a denial
of service attack against the websites www.authorizenet.com, disney.go.com,
www.spamcop.net, www.carderplanet.net, www.cardcops.com, www.register.com,
www.spews.org, www.spamhaus.org
How to Remove Mimail.L?
Follow these steps to remove the MiMail.L worm.
1) Turn off System Restore functions for Windows Me,Windows
XP and Windows 2003 system.
2) End the running program or reboot your system to enter into Safe
mode.
Open the Windows Task Manager by either pressing CTRL+ALT+DEL on Win9x
machines or CTL+Shift+Tab and clicking on the Processes tab on WinNT/2000/XP
machines.
Locate the program named NETWATCH.EXE , click on it
and End Task or End Process
3) Remove the Registry entries
Click on Start|Run|Regedit
In the left panel go to
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run
In the right panel, right-click and delete the following entry
"France"="%Windir%\svchost.exe"
Close the Registry Editor
4) Reboot the system. Update your virus definition of your antivirus
program and run a thorough virus scan to delete the infected files.
Remove other worms & virus:
