Alias:W32/Mimail.j@MM [McAfee], WORM_MIMAIL.J [Trend], Win32.Mimail.J [Computer Associates], W32/Mimail-J [Sophos], I-Worm.Mimail.j [Kaspersky]
Type:Worm 
Size:13,856 Bytes 
Origin: 
Date:00-00-0000 
Damage:Sent by email. 
VDF Version:6.23.00.00 
Danger:Medium 
Distribution:High 

DistributionThe email sent by the worm contains:

Subject: IMPORTANT

Body: Dear PayPal member, We regret to inform you that your account is about to be expired in next five business days. To avoid suspension of your account you have to reactivate it by providing us with your personal information. To update your personal profile and continue using PayPal services you have to run the attached application to this email. Just run it and follow the instructions. IMPORTANT! If you ignore this alert, your account will be suspended in next five business days and you will not be able to use PayPal anymore. Thank you for using PayPal.

Attachment:
www.paypal.com.pif
InfoUpdate.exe

Technical DetailsWhen activated, Worm/MiMail.J2 copies itself as
C:\%WinDIR%\svchost32.exe
C:\%WinDIR%\ee98af.tmp,
and makes the autostart registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "SvcHost32"="%WinDIR%\svchost32.exe"

It saves the information into the file C:\ppinfo.sys and displays a window named PayPal Secure Application. The file indicates if the PayPal Form is completed.

The worm checks for an active Internet connection and tries to open www.ak**ai.com. If it succeeds, the worm tries to send the information it has in the file ppinfo.sys to certain email addresses.

The worm searches for email addresses in temporary Internet files, excluding files of type: .com .wav .cab .pdf .rar .zip .tif .psd .ocx .vxd .mp3 .mpg .avi .dll .exe .gi .jpg .bmp. The collected addresses are saved in the file
%WinDIR%\el388.tmp. If it can connect to SMTP server, the worm sends its virus email to the collected addresses.
Die Beschreibung wurde erstellt von Crony Walker am Dienstag, 15. Juni 2004

zurück . . . .