My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Mimail.J@mm

HIGH
MEDIUM
13856 bytes
(W32/Mimail-J)

Symptoms

- Presence of the next files in %WINDOWS% folder:
svchost32.exe (12,832 bytes)
- Presence of the next files on the root of drive C:
PP.GIF
PP.HTA
- Presence of the next registry keys or entries:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SvcHost32"="%WINDOWS%\svchost32.exe"


where %WINDOWS% points to Windows folder (or WinNT on Windows NT based systems)

%SYSTEM% points to "System" folder on Windows 9x systems and "System32" folder on WinNT systems.

Removal instructions:

Manual Removal
Open Task Manager pressing [CTRL]+[ALT]+[DEL] or [CTRL]+[SHIFT]+[ESCAPE] for Win2000/XP
use "End Process" on svchost32.exe (NOT svchost.exe)
delete the files EE98AF.TMP, EL388.TMP, ZP3891.TMP from Windows folder and files PP.GIF, PP.HTA, C:\PPINFO.SYS from the root of drive C
open Registry Editor (click Start, Run and enter regedit)
remove the key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SvcHost32]
Automatic Removal
- Use the free removal tool from BitDefender
- Let BitDefender delete/disinfect files found infected.

Analyzed By

Patrik Vicol BitDefender Virus Researcher

Technical Description:

This version is asking for more personal informations:

Subject: IMPORTANT
Body:
Dear PayPal member,

We regret to inform you that your account is about to be expired in next five business days. To avoid suspension of your account you have to reactivate it by providing us with your personal information.

To update your personal profile and continue using PayPal services you have to run the attached application to this email. Just run it and follow the instructions.
IMPORTANT! If you ignore this alert, your account will be suspended in next five business days and you will not be able to use PayPal anymore.

Thank you for using PayPal.
Attachment: paypal.asp.scr OR www.paypal.com.scr or InfoUpdate.exe
Once the virus is run, it does the following:
1. Creates the registry key:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SvcHost32"="C:\WINDOWS\svchost32.exe"
2. Copies itself as %WINDOWS%\svchost32.exe
3. Creates files:
C:\PP.HTA (3,396 bytes)
C:\PP.GIF (902 bytes)
that contain the fake paypal message the virus shows:

4. Creates files:
%WINDOWS%\EE98AF.TMP (copy of the virus)
%WINDOWS%\EL388.TMP (where the harvested e-mails are stored)
%WINDOWS%\ZP3891.TMP
if also creates the file C:\PPINFO.SYS where the credit card details are stored
5. Harvests e-mail addresses from the victim computer\'s files, ignoring files with
following extensions:
avi, bmp, cab, com, dll, exe, gif, jpg, mp3, mpg, ocx, pdf, psd, rar, tif, vxd, wav, zip
6. Attempts to send itself to harvested e-mail addresses.