PayPal Email - Virus
This is out now. People should know better but posting anyway. Apologies if this was already posted.
W32.Mimail.J@mm worm variant:
Name of the Virus: W32.Mimail.J@mm [Symantec], W32/Mimail.gen@mm [McAfee]
Contains its own SMTP engine for constructing email messages
Emails itself as .pif and .exe attachments
Harvests email addresses from the local infected machine
Sends out large volume of data (garbage) to a remote server - suggestive of a DoS payload
Captures information and emails it to three addresses
Delete the email from Do_Not_Reply@PayPal.com. Do not launch or save the files attached. Users will only infect a system if they launch the attached files.
Are Definitions Available: NO
Detection is available through: N/A
Detected using Virus Definitions dated:
ScanMail pattern file:
Norton Antivirus:
Operating Systems Affected:
Windows 95
Windows 98
Windows 2000
Windows XP
Ways this virus spreads: Email Mail Propagation
Target email addresses are harvested from files on the victim's machine. The worm ignores address extraction from files that contain the following extensions:
avi
bmp
cab
com
dll
exe
gif
jpg
mp3
mpg
ocx
psd
rar
tif
vxd
wav
zip
Addresses are written to the file EML.TMP in %WinDir%. Testing shows the worm is overly lax in identifying valid email addresses - as a result messages are likely to be sent to invalid recipients.
Outgoing messages are constructed using the worm's own SMTP engine. They are formatted as follows:
From: Do_Not_Reply@paypal.com
Subject: Important (followed by blank spaces and random characters)
[seeded with Subject: Problems with your PayPal account.]
Dear PayPal member,
We regret to inform you that your account is about to be expired in next five business days. To avoid suspension of your account you have to reactivate it by providing us with your personal information.
To update your personal profile and continue using PayPal services you have to run the attached application to this email. Just run it and follow the instructions.
IMPORTANT! If you ignore this alert, your account will be suspended in next five business days and you will not be able to use PayPal anymore.
Thank you for using PayPal.
Attachment (one of the following):
www.paypal.com.pif
infoupdate.exe (may be seen via seeding of the worm)
Information stealing payload
Credit Card Information Stealing Victims of the PayPal scam will have their credit card information collated into C:\PPINFO.SYS. The worm then attempts to send this data to three email addresses.
kaspersky@mail15.com
ekaspersky@mail15.com
admin@kaspersky.cjb.net
Thus, outgoing DNS queries to these servers will be issued from the victim machine.
Method of Infection
The following registry key is added to run the virus at startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "SvcHost32" = %WinDir%\svchost32.exe
The worm creates the following files:
c:\cansend.sys
c:\pp.gif (paypal icon)
c:\pp.hta (graphical interface)
c:\ppinfo.sys (your credit card details)
%WinDir%\ee98af.tmp (copy of the worm)
%WinDir%\el388.tmp (harvested email addresses)
%WinDir%\svchost32.exe (copy of the worm)
%WinDir%\zp3891.tmp
Note: %WinDir% is a variable for the Windows directory name. The worm does not use this exact name. It simply uses the system %WinDir% directory.
The worm checks for an active Internet connection by pinging www.akamai.com
This virus spreads via email. Manually running the attachment infects the local machine.
Reply With Quote
Social Networking Bookmarks