Virus Alert: Mimail (Aug. 4, 2003)

Windows "W32.Mimail.A@mm" worm reported on campus (08/04/03)

W32.Mimail.A@mm, a Windows virus, has been reported at Cornell. W32.Mimail.A@mm infects computers running any version of Windows. Macintosh and Unix variants are not affected.

What to Watch For

W32.Mimail.A@mm is contained in an e-mail attachment named message.zip. Do not open any attachment with this name. The e-mail message may come from "admin@cornell.edu" or another official-looking address, has a subject line that begins with "your account," and claims that your e-mail account is about to expire. This claim is false: Your e-mail account will not be terminated as a result of this e-mail, which is designed to cause confusion.

The Mimail worm is hidden within a HTML file that is delivered in a compressed ZIP archive. The worm takes advantage of a vulnerability in Internet Explorer to collect information from certain windows on your desktop and e-mail it to recipients listed in the worm. The worm then spreads itself by e-mail to people in your address book.

Detailed description (from Symantec)

How to Avoid It

Update your Symantec AntiVirus software and perform a complete system scan. W32.Mimail.A@mm is detected by Symantec AntiVirus software that has been updated to the 8/1/03 virus definition file, or a newer file.

To update, run Symantec AntiVirus and choose Live Update. Or download the file via Bear Access (Virus Protection folder) or from Symantec's download site. Cornell University has signed a site license with Symantec to provide Symantec AntiVirus (SAV) to the entire campus community. The license allows SAV to be used on all university-owned computers, home computers of staff and faculty, and computers owned by registered students.

Microsoft Security Bulletin MS03-014 includes a patch for repairing the underlying vulnerability in Internet Explorer.

Also see CIT's tips for making Eudora more resistant to viruses/worms.

How to Get Rid of It

The easiest way to remove this worm is to use Symantec's W32.Mimail.A@mm removal tool. Symantec also provides manual removal instructions.

If you need additional assistance, please contact the CIT HelpDesk at 255-8990 or helpdesk@cornell.edu.

Last modified: June 04, 2007