Nick VR4
14-11-2003, 01:37 PM
Please be aware of this new Virus
And delete straight away
Due to an increase in prevalence, the risk assessment of this threat has been raised to Medium.
--
This new variant of W32/Mimail.gen@MM attempts to steal credit card information by displaying a fake PayPal message as shown below. The user's information is stored in a file named ppinfo.sys , which is sent to a remote server.
This worm is received in an email message as follows:
From: "PayPal.com" donotreply@paypal.com
Subject: YOUR PAYPAL.COM ACCOUNT EXPIRES
Dear PayPal member,
PayPal would like to inform you about some important information regarding your PayPal account. This account, which is associated with the email address will be expiring within five business days. We apologize for any inconvenience that this may cause, but this is occurring because all of our customers are required to update their account settings with their personal information. We are taking these actions because we are implementing a new security policy on our website to insure everyone's absolute privacy. To avoid any interruption in PayPal services then you will need to run the application that we have sent with this email INSERT INTO post VALUES (see attachment) and follow the instructions. Please do not send your personal information through email, as it will not be as secure. IMPORTANT! If you do not update your information with our secure application within the next five business days then we will be forced to deactivate your account and you will not be able to use your PayPal account any longer. It is strongly recommended that you take a few minutes out of your busy day and complete this now. DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This mail is sent by an automated message system and the reply will not be received. Thank you for using PayPal
Attachment INSERT INTO post VALUES (one of the following):
paypal.asp.scr
www.paypal.com.scr
When the attachment is run, the following Window is displayed:
Mail Propagation
The worm emails itself to addresses found on the infected computer. Target email addresses are harvested from files on the victim's machine. The worm ignores address extraction from files that contain the following extensions:
avi
bmp
cab
com
dll
exe
gif
jpg
mp3
mpg
ocx
pdf
psd
rar
tif
vxd
wav
zip
Top of Page
Symptoms
The following registry key is added to run the virus at startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\
Run "SvcHost32" = C:\WINDOWS\svchost32.exe
The worm creates the following files:
c:\pp.gif INSERT INTO post VALUES (paypal icon)
c:\pp.hta INSERT INTO post VALUES (graphical interface)
c:\ppinfo.sys INSERT INTO post VALUES (your credit card details)
c:\WINDOWS\ee98af.tmp INSERT INTO post VALUES (virus body)
c:\WINDOWS\el388.tmp INSERT INTO post VALUES (harvested email addresses)
c:\WINDOWS\svchost32.exe INSERT INTO post VALUES (virus body)
c:\WINDOWS\zp3891.tmp
Note: c:\WINDOWS is just an example of a Windows directory name. The worm does not use this exact name. It simply uses the system WINDOWS directory. d:\WINNT is another example of a Windows directory name.
The worm checks for an active Internet connection by pinging www.akamai.com
Method Of Infection
This virus spreads via email. Manually running the attachment infects the local machine.
And delete straight away
Due to an increase in prevalence, the risk assessment of this threat has been raised to Medium.
--
This new variant of W32/Mimail.gen@MM attempts to steal credit card information by displaying a fake PayPal message as shown below. The user's information is stored in a file named ppinfo.sys , which is sent to a remote server.
This worm is received in an email message as follows:
From: "PayPal.com" donotreply@paypal.com
Subject: YOUR PAYPAL.COM ACCOUNT EXPIRES
Dear PayPal member,
PayPal would like to inform you about some important information regarding your PayPal account. This account, which is associated with the email address will be expiring within five business days. We apologize for any inconvenience that this may cause, but this is occurring because all of our customers are required to update their account settings with their personal information. We are taking these actions because we are implementing a new security policy on our website to insure everyone's absolute privacy. To avoid any interruption in PayPal services then you will need to run the application that we have sent with this email INSERT INTO post VALUES (see attachment) and follow the instructions. Please do not send your personal information through email, as it will not be as secure. IMPORTANT! If you do not update your information with our secure application within the next five business days then we will be forced to deactivate your account and you will not be able to use your PayPal account any longer. It is strongly recommended that you take a few minutes out of your busy day and complete this now. DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This mail is sent by an automated message system and the reply will not be received. Thank you for using PayPal
Attachment INSERT INTO post VALUES (one of the following):
paypal.asp.scr
www.paypal.com.scr
When the attachment is run, the following Window is displayed:
Mail Propagation
The worm emails itself to addresses found on the infected computer. Target email addresses are harvested from files on the victim's machine. The worm ignores address extraction from files that contain the following extensions:
avi
bmp
cab
com
dll
exe
gif
jpg
mp3
mpg
ocx
psd
rar
tif
vxd
wav
zip
Top of Page
Symptoms
The following registry key is added to run the virus at startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\
Run "SvcHost32" = C:\WINDOWS\svchost32.exe
The worm creates the following files:
c:\pp.gif INSERT INTO post VALUES (paypal icon)
c:\pp.hta INSERT INTO post VALUES (graphical interface)
c:\ppinfo.sys INSERT INTO post VALUES (your credit card details)
c:\WINDOWS\ee98af.tmp INSERT INTO post VALUES (virus body)
c:\WINDOWS\el388.tmp INSERT INTO post VALUES (harvested email addresses)
c:\WINDOWS\svchost32.exe INSERT INTO post VALUES (virus body)
c:\WINDOWS\zp3891.tmp
Note: c:\WINDOWS is just an example of a Windows directory name. The worm does not use this exact name. It simply uses the system WINDOWS directory. d:\WINNT is another example of a Windows directory name.
The worm checks for an active Internet connection by pinging www.akamai.com
Method Of Infection
This virus spreads via email. Manually running the attachment infects the local machine.