How to Remove MiMail.A worm virus

What is the MiMail.A Worm?
MiMail.A is a mass mailing worm that arrives as a zipped attachment in an email. The zip file has an html file attached. The html file "message.htm" takes advantage of two known security vulnerabilities,   MHTML exploit and the codebase exploit. The virus arrives as an email similar to:

From: admin@<current domain> (The from address may be spoofed to appear that it is coming from the current domain)

Subject: your account [random string]

Hello there,
I would like to inform you about important information regarding your email address. This email address will be expiring. Please read attachment for details.

Best regards,


How Does MiMail.A Worm Infect My System?

Once unzipped, the worm creates an exe file named foo.exe in the Temporary Internet Files directory and runs it.

The following files are then created in the Windows directory

  • videodrv.exe
  • exe.tmp  (temporary copy of message.html_
  • zip.tmp (temporary copy of

It also adds the following registry key to the system.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run

"VideoDriver" = C:\Windows\videodrv.exe

as well as

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{11111111-1111-1111-1111-111111111111}

What Does the MiMail.A Worm Do?

Once a computer is infected, the virus checks to see if the system is connected to the Internet by trying to contact If it can contact google, then the worm attempts to gather email addresses from the infected computer. It grabs addresses from all files on the system, EXCEPT files that have the following extensions:

  • COM
  • WAV
  • CAB
  • PDF
  • RAR
  • ZIP
  • TIF
  • PSD
  • OCX
  • VXD
  • MP3
  • MPG
  • AVI
  • DLL
  • EXE
  • GIF
  • JPG
  • BMP

These addresses are then stored in a file named eml.tmp in the Windows directory. The worm has its own SMTP engine. For each email address the worms sends, it will

  • Look up the MX record for the domain name using the DNS server of the current host. If a DNS server is not found, it will default to
  • Acquire the mail server associated with that particular domain.
  • Directly contact the destination server.

How Can I Remove the MiMail.A worm?

Follow these steps in removing the MiMail worm.

1) Terminate the running program

  • Open the Windows Task Manager by either pressing CTRL+ALT+DEL on Win9x machines or CTL+Shift+Tab and clicking on the Processes tab on WinNT/2000/XP machines.
  • Locate the following program, click on it and End Task or End Process


  • Close Task Manager

2) Remove the Registry entries

  • Click on Start, Run, Regedit
  • In the left panel go to

HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run

  • In the right panel, right-click and delete the following entry


Repeat this procedure for

HKEY_LOCAL_MACHINE>Software>Microsoft>Code Store Database>Distribution Units

  • In the right panel, locate and delete the entry:
  • Close the Registry Editor

3) Delete the infected files (for Windows ME and XP remember to turn off System Restore before searching for and deleting these files to remove infected backed up files as well)

  • Click Start, point to Find or Search, and then click Files or Folders.
  • Make sure that "Look in" is set to (C:\WINDOWS).
  • In the "Named" or "Search for..." box, type, or copy and paste, the file names:

  • Click Find Now or Search Now.
  • Delete the displayed files.

4) Reboot the computer and run a thorough virus scan using your favorite antivirus program.

5) Apply the patches,  MHTML exploit and  codebase exploit, to avoid viruses like this in the future.

For Automatic Removal of MiMail.A, download the Symantec removal tool

Other Variations of the MiMail virus

MiMail.C Removal Instructions
MiMail.D Removal Instructions
MiMail.E Removal Instructions
MiMail.F Removal Instructions
MiMail.G Removal Instructions
MiMail.I and MiMail.J Worm Removal Instructions


space.gif (58 bytes)


site search by freefind advanced


Tools for Removing Spyware, Adware, and Malware

Other Pages

Spyware/Adware Removal Help

MSBlast.exe Worm Removal

Welchia (Dllhost.exe and SVCHost.exe) Worm Removal

Uninstall McAfee Instructions

Uninstall Norton Instructions

Uninstall Avast Instructions

Uninstall AVG Instructions

Uninstall Antivir Instructions

Uninstall Panda Instructions

How to Manually Run the Microsoft Malicious Software Removal Tool

Bloodhound.Exploit.6 Virus Removal

MyDoom Virus Removal

MiMail.C Virus Removal

Swen Worm Virus Removal

SoBig.F Worm Removal

Dumaru Virus Removal

BugBear.B Worm Removal

SoBig.E Worm Removal

Pop Up Ad Removal Info

KAK Worm Removal

MiMail.A Worm Removal

W95.MTX Virus Removal

Snow White Virus Removal

BadTrans Trojan Removal

Wininit Virus (Bymer Trojan)

Happy99 Worm Removal

VBS Netlog Worm Removal

Pretty Park Worm Removal

Sasser Worm Virus Removal

Backdoor SDBot.H Trojan Removal

VBS.Loveletter Help

Computer Security Information

Back Orifice Information

PC HELL Main Page


iPadastic - News, Tutorials, Help, Tips, and Hints for the iPad

Download Hoyle Games
including Casino 3D, Card, Board, and Solitaire games.

Written by Mark Hasting

Recommended Software for PC Hell Visitors
Malwarebytes Anti-Malware
Malwarebytes Anti-Malware
iolo System Mechanic® - Fix, Speed Up Your PC
iolo System Mechanic®
Emsisoft Anti Malware
Emsisoft Anti Malware
space.gif (58 bytes)


Return to PC Hell
Return to PC Hell