Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
 ·Shaw
| reply to Link Logger
Re: Heads Up - PayPal infection attempt - New??
I submitted this virus to a couple of the AV's and McAfee has added it as »vil.nai.com/vil/content/v_100822.htm
As you can see Vampirefo nailed this one rather well. He also mentioned the IP addresses that the virus sends the data to. I didn't want to publish those until I found out if someone was 'watching' those IP addresses as one was in the US. The IP in question are 68.168.160.2 and 62.84.131.172. NOTE full credit to Vamp for nailing this so quick.
I should also note that E-trust nailed it as Win32/Mimail.xariant.worm from the start so it would appear in this case they were ahead of McAfee.
- From McAfee -
This W32/Mimail variant attempts to steal credit card information by displaying a fake PayPal message as shown below. The user's information is stored in a file named ppinfo.sys , which is sent to a remote server.
This worm is received in an email message as follows:
From: "PayPal.com" donotreply@paypal.com
Subject: YOUR PAYPAL.COM ACCOUNT EXPIRES
Dear PayPal member,
PayPal would like to inform you about some important information regarding your PayPal account. This account, which is associated with the email address will be expiring within five business days. We apologize for any inconvenience that this may cause, but this is occurring because all of our customers are required to update their account settings with their personal information. We are taking these actions because we are implementing a new security policy on our website to insure everyone's absolute privacy. To avoid any interruption in PayPal services then you will need to run the application that we have sent with this email (see attachment) and follow the instructions. Please do not send your personal information through email, as it will not be as secure. IMPORTANT! If you do not update your information with our secure application within the next five business days then we will be forced to deactivate your account and you will not be able to use your PayPal account any longer. It is strongly recommended that you take a few minutes out of your busy day and complete this now. DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This mail is sent by an automated message system and the reply will not be received. Thank you for using PayPal
Attachment (one of the following):
paypal.asp.scr
www.paypal.com.scr
When the attachment is run, the following Window is displayed:
See the image at »vil.nai.com/vil/content/v_100822.htm
Mail Propagation
The worm emails itself to addresses found on the infected computer. Target email addresses are harvested from files on the victim's machine. The worm ignores address extraction from files that contain the following extensions:
avi
bmp
cab
com
dll
exe
gif
jpg
mp3
mpg
ocx
pdf
psd
rar
tif
vxd
wav
zip
Symptoms
The following registry key is added to run the virus at startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "SvcHost32" = C:\WINDOWS\svchost32.exe
The worm creates the following files:
c:\pp.gif (paypal icon)
c:\pp.hta (graphical interface)
c:\ppinfo.sys (your credit card details)
c:\WINDOWS\ee98af.tmp (virus body)
c:\WINDOWS\el388.tmp (harvested email addresses)
c:\WINDOWS\svchost32.exe (virus body)
c:\WINDOWS\zp3891.tmp
Note: c:\WINDOWS is just an example of a Windows directory name. The worm does not use this exact name. It simply uses the system WINDOWS directory. d:\WINNT is another example of a Windows directory name.
The worm checks for an active Internet connection by pinging www.akamai.com
Method Of Infection
This virus spreads via email. Manually running the attachment infects the local machine.
Removal Instructions
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Aliases
Name
W32.Paylap@mm (NAV)
--
»www.SonicLogger.com - Logging Software for SonicWall and 3Com
»www.LinkLogger.com - Logging Software for Linksys, Netgear and Zyxel |
