W32.Mineup.Worm is a worm that is spread by disguising itself as an update to the popular Windows game Minesweeper. The worm consists of two components, one executable component and one VBS component. The VBS component sends the executable file to everyone in your Microsoft Outlook Address Book. The worm also contains a small payload routine that executes on the 15th of every month.

W32.Mineup.Worm is written in a High-Level Language (HLL). When the worm is executed, it checks to see which folder it is executed from. If it is not executed from the \Windows\System folder, it displays the following message:

The worm then copies itself to the \Windows\System folder.

If the worm is executed from the \Windows\System folder, it creates in the root of drive C a file named ENVOIE_VBS.vbs (envoie means "send" in French). This .vbs file is executed immediately, and when it is executed, it emails the executable file to everyone in your Microsoft Outlook Address Book. The message is:

Subject: Is the work so hard ??
Message: Relax you with the last version of