Win32:MiMail-J

is another worm which pretends to be an e-mail from Paypal on-line payment service and which tries to steal your credit card information. It is very similar to the Win32:MiMail-I.

The infected e-mails come from the e-mail address Do_Not_Reply@paypal.com and have the following characteristics:
Subject line: IMPORTANT
Message text:
Dear PayPal member,

We regret to inform you that your account is about to be expired in next five business days. To avoid suspension of your account you have to reactivate it by providing us with your personal information.

To update your personal profile and continue using PayPal services you have to run the attached application to this email. Just run it and follow the instructions.

IMPORTANT! If you ignore this alert, your account will be suspended in next five business days and you will not be able to use PayPal anymore.

Thank you for using PayPal.

Attached file: www.paypal.com.pif

If the worm is executed, it displays a dialog box requesting you to enter a range of information about your credit card. This includes your full credit card number, your PIN, the expiry date, and even the so-called CVV code (this is an additional three-digit security code printed on the back of your card which is not recorded by credit card machines during transactions) It also asks you for additional personal information such as your Social Security Number and your mother's maiden name. The dialog includes a PayPal logo in a further attempt to appear legitimate. Information entered into the form is sent out by e-mail to several e-mail addresses stored inside the worm's body.

Worm send itself via e-mail to addresses found on the hard drive. It stores all e-mail addresses inside the file called ee98af.tmp in the Windows folder.

It copies itself to the file svchost32.exe in the Windows directory and adds the following registry entry into registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SvcHost32

Removal:
To remove this virus please use our free avast! Virus Cleaner.

avast! with VPS file dated on or after 18th November 2003 is able to detect this worm.

Viruses
Viruses in the Wild Virus database history Virus report form Virus report summary Eicar Test File
Subscription Services
VPS (iAVS) Subscr. service
avast! Virus Cleaner
Home pageWeb site mapPrint this pagePrivacy policy
Copyright © 1988 - 2008 ALWIL Software a.s.
Home page
Viruses  windows viruses  Win32:MiMail-J