Win32:Mimail-I

is a worm which pretends to be an e-mail from Paypal on-line payment service and which tries to steal your credit card information.

The infected e-mails come from the e-mail address donotreply@paypal.com and have the following characteristics:
Subject line: YOUR PAYPAL.COM ACCOUNT EXPIRES
Message text:
Dear PayPal member,

PayPal would like to inform you about some important information regarding your PayPal account. This account, which is associated with the email address

[your_email@your_domain]

will be expiring within five business days. We apologize for any inconvenience that this may cause, but this is occurring because all of our customers are required to update their account settings with their personal information.

We are taking these actions because we are implementing a new security policy on our website to insure everyone's absolute privacy. To avoid any interruption in PayPal services then you will need to run the application that we have sent with this email (see attachment) and follow the instructions. Please do not send your personal information through email, as it will not be as secure.

IMPORTANT! If you do not update your information with our secure application within the next five business days then we will be forced to deactivate your account and you will not be able to use your PayPal account any longer. It is strongly recommended that you take a few minutes out of your busy day and complete this now.

DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This mail is sent by an automated message system and the reply will not be received.

Thank you for using PayPal.

[random characters]

Attached file: www.paypal.com.scr

If the worm is executed, it displays a dialog box requesting you to enter a range of information about your credit card. This includes your full credit card number, your PIN, the expiry date, and even the so-called CVV code (this is an additional three-digit security code printed on the back of your card which is not recorded by credit card machines during transactions). The dialog includes a PayPal logo in a further attempt to appear legitimate. Information entered into the form is sent out by e-mail to several e-mail addresses stored inside the worm's body.

Worm send itself via e-mail to addresses found on the hard drive. It stores all e-mail addresses inside the file called el388.tmp in the Windows folder.

It copies itself to the file svchost32.exe in the Windows directory and adds the following registry entry into registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SvcHost32

Removal:
To remove this virus please use our free avast! Virus Cleaner.

avast! with VPS file dated on or after 14th November 2003 is able to detect this worm.

Viruses
Viruses in the Wild Windows viruses Older windows viruses 2002 Older windows viruses 2001 Older windows viruses 2000 Script viruses Macro viruses Virus report form Virus report summary Eicar Test File VPS history
Subscription Services
VPS (iAVS) Subscr. service
avast! Virus Cleaner
Home pageWeb site mapPrint this pagePrivacy policy
Copyright © 1988 - 2008 ALWIL Software a.s.
Home page
Viruses  windows viruses  Win32:Mimail-I