Home / malware Win32.Mimail.J@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Mimail.J@mm is also known as W32/Mimail-J.
Explanation :
This version is asking for more personal informations:
Subject: IMPORTANT
Body:
Dear PayPal member,
We regret to inform you that your account is about to be expired in next five business days. To avoid suspension of your account you have to reactivate it by providing us with your personal information.
To update your personal profile and continue using PayPal services you have to run the attached application to this email. Just run it and follow the instructions.
IMPORTANT! If you ignore this alert, your account will be suspended in next five business days and you will not be able to use PayPal anymore.
Thank you for using PayPal.
Attachment: paypal.asp.scr OR www.paypal.com.scr or InfoUpdate.exe
Once the virus is run, it does the following:
1. Creates the registry key:
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]
"SvcHost32"="C:WINDOWSsvchost32.exe"
2. Copies itself as %WINDOWS%svchost32.exe
3. Creates files:
C:PP.HTA (3,396 bytes)
C:PP.GIF (902 bytes)
that contain the fake paypal message the virus shows:
4. Creates files:
%WINDOWS%EE98AF.TMP (copy of the virus)
%WINDOWS%EL388.TMP (where the harvested e-mails are stored)
%WINDOWS%P3891.TMP
if also creates the file C:PPINFO.SYS where the credit card details are stored
5. Harvests e-mail addresses from the victim computer's files, ignoring files with
following extensions:
avi, bmp, cab, com, dll, exe, gif, jpg, mp3, mpg, ocx, pdf, psd, rar, tif, vxd, wav, zip
6. Attempts to send itself to harvested e-mail addresses.Last update 21 November 2011