New Viruses Alert

What are the hottest books and magazine articles on urban culture, hip hop, and street life?
What TV shows, major films, documentaries and independent footage do you find compelling? Video games are also discussed in this section.
Post Reply
User avatar
Light Heavy Weight
Light Heavy Weight
Posts: 1580
Joined: June 23rd, 2003, 3:53 pm
Location: Los Angeles

New Viruses Alert

Unread post by wcrockets » November 19th, 2003, 12:02 pm

There are a bunch of new viruses out right now that try to get your personal data. Make sure your virus software is up to date and I think you should not give out your personal info over the net to people who email you requesting it. Even if the email does look official. A current example of a virus in the media right now is:

-- Update 14th November 2003, 4:26 PST --
Due to an increase in prevalence, the risk assessment of this threat has been raised to Medium.

This new variant of W32/Mimail.gen@MM attempts to steal credit card information by displaying a fake PayPal message as shown below. The user's information is stored in a file named ppinfo.sys , which is sent to four email addresses, hard-coded in the worm. (Access to these mailboxes is in the process of being blocked).

The worm constructs email messages using its own SMTP engine. As with previous variants, the mailing routine queries the mail server for the domain related to the target (harvested) address. This is determined via an MX lookup on the target domain. Messages are then sent through that SMTP server.

This worm is received in an email message as follows:

From: ""

Dear PayPal member,

PayPal would like to inform you about some important information regarding your PayPal account. This account, which is associated with the email address

recipient email-address

will be expiring within five business days. We apologize for any inconvenience that this may cause, but this is occurring because all of our customers are required to update their account settings with their personal information.

We are taking these actions because we are implementing a new security policy on our website to insure everyone's absolute privacy. To avoid any interruption in PayPal services then you will need to run the application that we have sent with this email (see attachment) and follow the instructions. Please do not send your personal information through email, as it will not be as secure.

IMPORTANT! If you do not update your information with our secure application within the next five business days then we will be forced to deactivate your account and you will not be able to use your PayPal account any longer. It is strongly recommended that you take a few minutes out of your busy day and complete this now.

DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This mail is sent by an automated message system and the reply will not be received.

Thank you for using PayPal.

Attachment: (one of the following):
paypal.asp.scr (may be seen via seeding of the worm)
When the attachment is run, the following Window is displayed:

Mail Propagation
The worm emails itself to addresses found on the infected computer. Target email addresses are harvested from files on the victim's machine. The worm ignores address extraction from files that contain the following extensions:

Target folders are determined by querying the following Registry key:

Explorer\Shell Folders
Credit Card Information Stealing
Victims of the PayPal scam will have their credit card information collated into C:\PPINFO.SYS. The worm then attempts to send this data to four email addresses encrypted in its body.
Thus, outgoing DNS queries to these servers will be issued from the victim machine.

The following registry key is added to run the virus at startup:

Run "SvcHost32" = %WinDir%\svchost32.exe
The worm creates the following files:

c:\pp.gif (paypal icon)
c:\pp.hta (graphical interface)
c:\ppinfo.sys (your credit card details)
%WinDir%\ee98af.tmp (copy of the worm)
%WinDir%\el388.tmp (harvested email addresses)
%WinDir%\svchost32.exe (copy of the worm)
Note: %WinDir% is a variable for the Windows directory name. The worm does not use this exact name. It simply uses the system %WinDir% directory.

The worm checks for an active Internet connection by pinging

Method Of Infection
This virus spreads via email. Manually running the attachment infects the local machine.

Removal Instructions
All Users :
Detection of this threat will be provided in the DATs specified above.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and that combination (or higher).

Stand Alone Remover
Stinger has been updated to include detection/removal of this threat.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

- Win9x/ME - Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
- WinNT/2K/XP - Terminate the process SVCHOST32.EXE
Delete the following files from your WINDOWS directory (typically c:\windows or c:\winnt)
Edit the registry
Delete the "SvcHost32" value from
Delete the following file (contains credit-card information):
Additional Windows ME/XP removal considerations

Sniffer Customers: Filters have been developed that will look for Mimail.i traffic [Sniffer Distributed 4.1/4.2/4.3, Sniffer Portable 4.7/4.7.5, and Netasyst].

W32_Mimail.i@MM Sniffer
McAfee Security Threatscan:
ThreatScan signatures that can detect the W32/Mimail.i@MM virus are available.

Threatscan 2.5 -
Threatscan 2.0/2.1 -

Straw Weight
Straw Weight
Posts: 41
Joined: February 15th, 2004, 5:45 pm

Re: New Viruses Alert

Unread post by bluecollar » April 7th, 2004, 10:16 pm

Yes . . . be careful of AIM viruses. Be wary of your friends profiles with links . . . general rule . . . ask before you click.

A common trojan that is disseminated through AIM lies on the website

(DONT go to it)

It is usually found as a link saying "New Years EVE Party pics" etc . . . in someone's profile on AIM.

Be Wary

w/ Regards


User avatar
Middle Weight
Middle Weight
Posts: 164
Joined: August 11th, 2004, 11:10 am

Re: New Viruses Alert

Unread post by babylimpy » August 13th, 2004, 1:14 pm


Post Reply