W32/Mimail.H@mm

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"Cn323" = C:\WINNT\cnfrm33.exe

The virus will then exit and run the file "cnfrm33.exe" where it will run as a process in memory

The virus will scavenge the hard drive looking for email addresses and save them into a file named "eml.tmp" into the undefinedWindowsundefined folder

The virus will then construct an email in this format and send it to all users listed in the file "eml.tmp", where "undefineds" is random characters -

From: john@ (target domain listed in "eml.tmp")
X-Priority: 1 (High)
Subject: don't be late! undefineds

Will meet tonight as we agreed, because on Wednesday I don't think I'll make it,
so don't be late. And yes, by the way here is the file you asked for.
It's all written there. See you.

undefineds
Content-Type: application/x-zip-compressed; name="readnow.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="readnow.zip"

The attachment "readnow.zip" contains the virus file with a double extension as "readnow.doc.scr"

The virus will attempt to connect with an SMTP server at the IP address 212.5.86.163 (ns.lemonti.ru) in order to send its emails to others

The virus contains a Denial-of-Service (DoS) attack payload which is carried out against two domains hard coded in the virus

The virus will send fragmented ICMP packets and UDP datagrams in a flood attack against the domains

spamhaus.org
spews.org

ns.lemonti.ru
212.5.86.163

Temporarily block port 80 traffic from Internal to External (INT -> EXT) for the web addresses "spamhaus.org" and "spews.org"

Add the following words to the banned words table for email -

meet+tonight+agreed+Wednesday+be+late
· Configure email servers to quarantine email messages matching this pattern, and delete as necessary