Kaspersky: A new version of the Mimail Internet worm has been detected in the wild. Preliminary investigations suggest that the Mimail.i worm could pose a signinficant threat. Like it's predecessors, the latest version of Mimail spreads as an email attachment, which in this case is named paypal.asp.scr. The worm gains control over victim machines only if the attachment is opened. If the victim does launch Mimail, the worm opens a dialogue box where it asks for PayPal credit card information. Any data that is entered is saved in a file named ppinfo.sys, which the worm mails to the virus sender. Computer users should be on the lookout for Mimail.i and, as always, keep anti-virus software databases up to date. A detailed description of Mimail.i is available in the Kaspersky Virus Encyclopedia at: http://www.viruslist.com/eng/viruslist.html?id=400658
Sophos: W32/Mimail-I is a worm which spreads via email using addresses harvested from the hard drive of your computer. All email addresses found on your PC are saved in a file named el388.tmp in the Windows folder. In order to run itself automatically when Windows starts up the worm copies itself to the file svchost32.exe in the Windows folder and adds the following registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SvcHost32 Read more: http://www.sophos.com/virusinfo/analyses/w32mimaili.html