W32/Mimail.i@MM Classed as a "Medium Risk" virus/worm. what ya wanna call it!
Overview
This new variant of W32/Mimail.gen@MM attempts to steal credit card information by displaying a fake PayPal message as shown below. The user's information is stored in a file named ppinfo.sys , which is sent to four email addresses, hard-coded in the worm. (Access to these mailboxes is in the process of being blocked).
The worm constructs email messages using its own SMTP engine. As with previous variants, the mailing routine queries the mail server for the domain related to the target (harvested) address. This is determined via an MX lookup on the target domain. Messages are then sent through that SMTP server.
This worm is received in an email message as follows:
From: "PayPal.com"
donotreply@paypal.com
Subject: YOUR PAYPAL.COM ACCOUNT EXPIRES
Dear PayPal member,
PayPal would like to inform you about some important information regarding your PayPal account. This account, which is associated with the email address will be expiring within five business days. We apologize for any inconvenience that this may cause, but this is occurring because all of our customers are required to update their account settings with their personal information. We are taking these actions because we are implementing a new security policy on our website to insure everyone's absolute privacy. To avoid any interruption in PayPal services then you will need to run the application that we have sent with this email (see attachment) and follow the instructions. Please do not send your personal information through email, as it will not be as secure. IMPORTANT! If you do not update your information with our secure application within the next five business days then we will be forced to deactivate your account and you will not be able to use your PayPal account any longer. It is strongly recommended that you take a few minutes out of your busy day and complete this now. DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This mail is sent by an automated message system and the reply will not be received. Thank you for using PayPal
Attachment (one of the following):
www.paypal.com.scr
paypal.asp.scr (may be seen via seeding of the worm)
Mail Propagation
The worm emails itself to addresses found on the infected computer. Target email addresses are harvested from files on the victim's machine. The worm ignores address extraction from files that contain the following extensions:
avi
bmp
cab
com
dll
exe
gif
jpg
mp3
mpg
ocx
pdf
psd
rar
tif
vxd
wav
zip
Target folders are determined by querying the following Registry key:
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \
Explorer \ Shell Folders
Credit Card Information Stealing
Victim credit card information is collated into C:\PPINFO.SYS. The worm then attempts to send this data to email address hard-coded in its body. The target addresses are all within the following domain:
CENTRUM.CZ
Thus, outgoing DNS queries for this server will be issued from the victim machine.
Symptoms
The following registry key is added to run the virus at startup:
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \
Run "SvcHost32" = %WinDir%\svchost32.exe
The worm creates the following files:
c:\pp.gif (paypal icon)
c:\pp.hta (graphical interface)
c:\ppinfo.sys (your credit card details)
%WinDir%\ee98af.tmp (copy of the worm)
%WinDir%\el388.tmp (harvested email addresses)
%WinDir%\svchost32.exe (copy of the worm)
%WinDir%\zp3891.tmp
Note: %WinDir% is a variable for the Windows directory name. The worm does not use this exact name. It simply uses the system %WinDir% directory.
The worm checks for an active Internet connection by pinging
www.akamai.com.
AAAhhhhhhh.....finished!
Hope this helps dude!
Gives u a bit of useless insight into the virus m8, if nothing else.
"Pinchaaay!"
