F-Secure Virus Descriptions : Mimail.I
[Summary] | [Disinfection] | [Detailed Description] | [Detection]
|
|
THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDER
F-SECURE RADAR.
Radar Alert LEVEL 2
|
Mimail.I is an email worm which disguises itself as an email from
Paypal on-line payment service and tries to steal credit card
information. It arrives with the subject YOUR PAYPAL.COM ACCOUNT
EXPIRES and attachment called www.paypal.com.scr
F-Secure has received reports of emails containing the Mimail.I
worm with the attachment name: 'paypal.asp.scr'. Since the worm
sends emails with the attachment name 'www.paypal.com.scr'
it is likely that those messages were hand-crafted.
Manual disinfection of an Mimail.I infected computer consists of
the following steps:
1, Remove the registry value
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SvcHost32]
2, Restart the computer
3, Delete '%WinDir%\svchost32.exe' (where %WinDir% is the
Windows Directory, typically c:\windows\ or c:\winnt)
Mimail.I was found on November 14th, 2003. It arrives in email
that looks as follows:
From: "PayPal.com" donotreply@paypal.com
Subject: YOUR PAYPAL.COM ACCOUNT EXPIRES
Attachment: www.paypal.com.scr
Dear PayPal member,
PayPal would like to inform you about some important information
regarding your PayPal account. This account, which is associated
with this email address
recipient@somewhere
will be expiring within five business
days. We apologize for any inconvenience that this may cause,
but this is occurring because all of our customers are required
to update their account settings with their personal information.
We are taking these actions because we are implementing a new
security policy on our website to insure everyone's absolute
privacy. To avoid any interruption in PayPal services then you
will need to run the application that we have sent with this
email (see attachment) and follow the instructions. Please do
not send your personal information through email, as it will not
be as secure.
IMPORTANT! If you do not update your information with our secure
application within the next five business days then we will be
forced to deactivate your account and you will not be able to
use your PayPal account any longer. It is strongly recommended
that you take a few minutes out of your busy day and complete
this now.
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This mail is sent by an
automated message system and the reply will not be received.
Thank you for using PayPal.
The worm collects email addresses from files on the infected computer.
It recursively searches through the user's document folders and
looks into all the files whose extension is not on the following list
"bmp"
"jpg"
"gif"
"exe"
"dll"
"avi"
"mpg"
"mp3"
"vxd"
"ocx"
"psd"
"tif"
"zip"
"rar"
"pdf"
"cab"
"wav"
"com"
Using its own SMTP engine it sends emails with the malicious
attachment. To find the SMTP server of the target email address
the worm does an MX lookup using a predefined public DNS server.
Payload
When the recipient opens the malicious attachment from the email
the worm activates and displays a fake webform. The form closely
resembles the look of PayPal's website. This way the worm tries
to fool the users to enter their credit card information. The credit
card information is collected to a file, 'c:\ppinfo.sys' which is
later mailed to certain email addresses.
The fake webform is dropped to 'c:\pp.hta' and 'c:\pp.gif'.
System Infection
When started, Mimail.I first copies itself to the Windows Directory
as 'svchost32.exe'. This copy is added to the registry as
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SvcHost32]
Detection in F-Secure Anti-Virus was published on November 14th, 2003 in
update:
[FSAV_Database_Version]
Version=2003-11-14_01
Description:
Katrin Tocheva, November 14th, 2003;
Technical Details:
Gergely Erdelyi, November 14th, 2003;
F-Secure Corporation
|
![](/images/pixel.gif"){kind=tracking}
