With signature files before January 7, 2004 the virus was detected as: Win32.Mimail.Gen@mm
, this virus also fakes an e-mail from PayPal: Subject:
GREAT NEW YEAR OFFER FROM PAYPAL.COM! ??????????
(where ? can be any character) Body:
*** GREAT NEW YEAR OFFER FROM PAYPAL.COM ***
Dear PayPal.com Member,
We here at PayPal.com are pleased to announce that we have a special New Year offer for you! If you currently have an account with PayPal then you will be eligible to receive a terrific prize from PayPal.com for the New Year. For a limited time only PayPal is offering to add 10% of the total balance in your PayPal account to your account and all you have to do is register yourself within the next five business days with our application (see attachment)!
If at this time you do not have a PayPal account of your own you can also register yourself with our secure application and get this great New Year bonus! If you fill out the secure form we have provided PayPal will create an account for you (it's free) and you will receive a confirmation e-mail that your account has been created.
That's not all! If you resend this letter (with its attachment) to all of your friends you may be eligible to receive another New Year bonus because the 1000 PayPal members that send the most of these to their friends will get the bonus. If you are one of these 1000 lucky members then PayPal will add 17% of your total balance to your account!
Registration is simple. Just unpack the attachment with WinZip, run the application, and follow the instructions we have provided. If you have problems opening the application then you may want to try downloading a free version of WinZip from http://www.winzip.com
Do not miss your chance at this fantastic opportunity! Thousands of our current customers have already received their prizes and now it's your turn; so hurry up and take advantage of this special offer!
Best of luck in the New Year,
PayPal.com Team Attachment:
Once the virus has been run, it does the following:
1. Will display fake PayPal screens
2. Hide it's presence in Win9x systems using RegisterServiceProcess
3. Copy itself as %WINDOWS%\winmgr32.exe
4. Create the registry entry
5. Attempts to set the start page of Internet Explorer to
6. Creates the files c:\index.hta and c:\index2.hta and execute c:\index.hta that will
display the above fake paypal messages, personal information and credit card information
will be stored in c:\tmpny3.txt
7. Attempts to send content of tmpny3.txt to a remote server.
8. Deletes and recreates the files:
%WINDOWS%\zipzip.tmp (zipped copy of the virus)
%WINDOWS%\ee98af.tmp (copy of the virus)
9. Sees if the computer is conected by attempting to connect to www.google.com
10. Searches for e-mail addresses inside files found following Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders and Cookies, C:\ and C:\Program Files\
but skipping files with extension:
com, wav, cab, pdf, rar, zip, tif, psd, ocx, vxd, mp3, mpg, avi, dll, exe, gif, jpg, bmp
11. Attempts to send dialup and local passwords to a few hardcoded e-mail addresses.
12. uses it's own smtp server to send itself; for each e-mail address harvested, it querries the host's DNS server for the domain name associated with the harvested e-mail address and attempts to send itself through that domain's smtp address or, if it fails, it uses the smtp address 220.127.116.11
The virus may also attempt to update itself by downloading and executing a file c:\mm.exe