- Presence of the next files in %WINDOWS% folder:
svchost32.exe (12,832 bytes)
- Presence of the next files on the root of drive C:
- Presence of the next registry keys or entries:
where %WINDOWS% points to Windows folder (or WinNT on Windows NT based systems)
%SYSTEM% points to "System" folder on Windows 9x systems and "System32" folder on WinNT systems.
Open Task Manager pressing [CTRL]+[ALT]+[DEL] or [CTRL]+[SHIFT]+[ESCAPE] for Win2000/XP
use "End Process" on svchost32.exe (NOT svchost.exe)
delete the files EE98AF.TMP, EL388.TMP, ZP3891.TMP from Windows folder and files PP.GIF, PP.HTA, C:\PPINFO.SYS from the root of drive C
open Registry Editor (click Start, Run and enter regedit)
remove the key:
- Use the free removal tool from BitDefender
- Let BitDefender delete/disinfect files found infected.
Patrik Vicol BitDefender Virus Researcher
This version is asking for more personal informations: Subject:
IMPORTANT Body: Dear PayPal member,
We regret to inform you that your account is about to be expired in next five business days. To avoid suspension of your account you have to reactivate it by providing us with your personal information.
To update your personal profile and continue using PayPal services you have to run the attached application to this email. Just run it and follow the instructions.
IMPORTANT! If you ignore this alert, your account will be suspended in next five business days and you will not be able to use PayPal anymore.
Thank you for using PayPal. Attachment: paypal.asp.scr
OR www.paypal.com.scr or InfoUpdate.exe
Once the virus is run, it does the following:
1. Creates the registry key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "SvcHost32"="C:\WINDOWS\svchost32.exe"
2. Copies itself as %WINDOWS%\svchost32.exe
3. Creates files: C:\PP.HTA
(3,396 bytes) C:\PP.GIF
that contain the fake paypal message the virus shows:
4. Creates files: %WINDOWS%\EE98AF.TMP
(copy of the virus) %WINDOWS%\EL388.TMP
(where the harvested e-mails are stored) %WINDOWS%\ZP3891.TMP
if also creates the file C:\PPINFO.SYS
where the credit card details are stored
5. Harvests e-mail addresses from the victim computer\'s files, ignoring files with
avi, bmp, cab, com, dll, exe, gif, jpg, mp3, mpg, ocx, pdf, psd, rar, tif, vxd, wav, zip
6. Attempts to send itself to harvested e-mail addresses.