- Presence of the next files in %WINDOWS% folder:
svchost32.exe (12,832 bytes)
- Presence of the next files on the root of drive C:
- Presence of the next registry keys or entries:
where %WINDOWS% points to Windows folder (or WinNT on Windows NT based systems)
%SYSTEM% points to "System" folder on Windows 9x systems and "System32" folder on WinNT systems.
Open Task Manager pressing [CTRL]+[ALT]+[DEL] or [CTRL]+[SHIFT]+[ESCAPE] for Win2000/XP
use "End Process" on svchost32.exe (NOT svchost.exe)
delete the files EE98AF.TMP, EL388.TMP, ZP3891.TMP from Windows folder and files PP.GIF, PP.HTA, C:\PPINFO.SYS from the root of drive C
open Registry Editor (click Start, Run and enter regedit)
remove the key:
- Use the free removal tool from BitDefender
- Let BitDefender delete/disinfect files found infected.
Patrik Vicol BitDefender Virus Researcher
The virus comes as a fake e-mail from PayPal: Subject:
YOUR PAYPAL.COM ACCOUNT EXPIRES Body: Dear PayPal member,
PayPal would like to inform you about some important information regarding your PayPal
account. This account, which is associated with the email address
[receiver's_e-mail_address_is@here] will be expiring within five business days. We apologize for any inconvenience that this
may cause, but this is occurring because all of our customers are required to update their
account settings with their personal information.
We are taking these actions because we are implementing a new security policy on our
website to insure everyone's absolute privacy. To avoid any interruption in PayPal
services then you will need to run the application that we have sent with this email (see
attachment) and follow the instructions. Please do not send your personal information
through email, as it will not be as secure.
IMPORTANT! If you do not update your information with our secure application within the
next five business days then we will be forced to deactivate your account and you will not
be able to use your PayPal account any longer. It is strongly recommended that you take a
few minutes out of your busy day and complete this now.
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This mail is sent by an automated message system
and the reply will not be received.
Thank you for using PayPal. Attachment: paypal.asp.scr
Once the virus is run, it does the following:
1. Creates the registry key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "SvcHost32"="C:\WINDOWS\svchost32.exe"
2. Copies itself as %WINDOWS%\svchost32.exe
3. Creates files: C:\PP.HTA
(3,396 bytes) C:\PP.GIF
that contain the fake paypal message the virus shows:
4. Creates files: %WINDOWS%\EE98AF.TMP
(copy of the virus) %WINDOWS%\EL388.TMP
(where the harvested e-mails are stored) %WINDOWS%\ZP3891.TMP
if also creates the file C:\PPINFO.SYS
where the credit card details are stored
5. Harvests e-mail addresses from the victim computer's files, ignoring files with
avi, bmp, cab, com, dll, exe, gif, jpg, mp3, mpg, ocx, pdf, psd, rar, tif, vxd, wav, zip
6. Attempts to send itself to harvested e-mail addresses