Du brauchst Hilfe? Frage die Community oder wende dich an einen Experten.
Zu Avira Answers
Alias:W32.Paylap@mm, W32/Mimail-I
Type:Worm 
Size:12,832 bytes 
Origin:unknown 
Date:11-14-2003 
Damage:sends itself by email 
VDF Version:6.22.00.38 
Danger:Low 
Distribution:Medium 

General DescriptionThe Worm/Mimail.I is a worm that passes as Online-Credit Card service. It sends itself by email with the subject "YOUR PAYPAL.COM ACCOUNT EXPIRES" and the attachment file "www.paypal.com.scr"

Symptoms* the following files appear in Windows folder: EL388.TMP, SVCHOST32.EXE

Distribution* sends itself by email using its own SMTP engine

Technical DetailsWorm/Mimail.I sends itself by email, using a message containing the following:

Subject: YOUR PAYPAL.COM ACCOUNT EXPIRES

Body:

Dear PayPal member,

PayPal would like to inform you about some important information regarding your
PayPal account. This account, which is associated with the email address

<%random%@%email.adress%>

will be expiring within five business days. We apologize for any inconvenience that this may cause, but this is occurring because all of our customers are required to update their account settings with their personal information.

We are taking these actions because we are implementing a new security policy on our website to insure everyone's absolute privacy. To avoid any interruption in PayPal services then you will need to run the application that we have sent with this email (see attachment) and follow the instructions. Please do not send your personal information through email, as it will not be as secure.

IMPORTANT! If you do not update your information with our secure application within the next five business days then we will be forced to deactivate your account and you will not be able to use your PayPal account any longer. It is strongly recommended that you take a few minutes out of your busy day and complete this now.

DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This mail is sent by an automated message system and the reply will not be received.

Thank you for using PayPal.

Attachment: www.paypal.com.scr

When the attachment is open, Worm/Mimail.I shows a dialog box with the PayPal Logo. Here, the user is asked to enter the credit card number, PIN and expiry date. These data will then be saved in a file ("ppinfo.sys") in Windows and sent by email. After the file is sent, it is deleted.

Worm/Mimail.I copies itself in Windows as SVCHOST32.EXE and EE98AF.TMP. It searches all the files on the local drive for email addresses and saves them in Windows as EL388.TMP. The worm will send itself to these email adresses.

It makes the following registry entry, so that it will be automatically run at the next system start:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SvcHost32"="C:\\WINDOWS\\svchost32.exe"

Manual Remove Instructions- for Windows 2000/XP:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear.

Delete the following files:
* C:\Windows\SVCHOST32.EXE
* C:\Windows\EE98AF.TMP
* C:\Windows\EL388.TMP Start "regedit" after that and delete the following registry entries:

* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"SvcHost32"="C:\\WINDOWS\\svchost32.exe"

Restart your computer.

- for Windows 9x/Me:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear.

Delete the following files:

* C:\Windows\SVCHOST32.EXE
* C:\Windows\EE98AF.TMP
* C:\Windows\EL388.TMP

Start "regedit" after that and delete the following registry entries:

* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"SvcHost32"="C:\\WINDOWS\\svchost32.exe"

Restart your computer.
Die Beschreibung wurde erstellt von Crony Walker am Dienstag, 15. Juni 2004

zurück . . . .