What
is the MiMail.I or MiMail.J Worm?
MiMail.I and
MiMail.J are mass mailing worms that attempts to
steal credit card information. They masquerade as
a PayPal Secure Application email similar to the
following
Subject: YOUR
PAYPAL.COM ACCOUNT EXPIRES
Attachment: paypal.asp.scr or www.paypal.com.scr
Message:
Dear PayPal member,
PayPal would like to inform you about some
important information regarding your PayPal
account. This account, which is associated with
the email address
<address>
will be expiring within five business days. We
apologize for any inconvenience that this may
cause, but this is occurring because all of our
customers are required to update their account
settings with their personal information.
We are taking these actions because we are
implementing a new security policy on our website
to insure everyone's absolute privacy. To avoid
any interruption in PayPal services then you will
need to run the application that we have sent
with this email (see attachment) and follow the
instructions. Please do not send your personal
information through email, as it will not be as
secure.
IMPORTANT! If you do not update your information
with our secure application within the next five
business days then we will be forced to
deactivate your account and you will not be able
to use your PayPal account any longer. It is
strongly recommended that you take a few minutes
out of your busy day and complete this now.
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This mail
is sent by an automated message system and the
reply will not be received.
Thank you for using PayPal.
How
Does MiMail.I Worm Infect My System?
It creates a file
named svchost32.exe in the Windows directory
along with a temporary file and adds the
following registry key to the system.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run
"SvcHost32"
= C:\Windows\svchost32.exe
Then it displays the
following screen to try to steal credit card
information
It then stores this information
in the file c:\ppinfo.sys and sends this
information to four predetermined addresses.
After sending the information, it searches for
email addresses in the cached internet files on
the computer and saves these addresses to the
file c:\windows\el388.tmp. It mass mails the
virus to these addresses.
How
to Remove the MiMail.I worm?
Kaspersky Internet Security Can Prevent You From Virus and Intrusion.
If Kaspersky detects MiMail.I during the
scan, it will AUTOMATICALLY offer you the option
of deleting it. Do this by following the
program's instructions.
Follow these steps
in removing the MiMail.I worm.
1) Terminate the
running program
- Open the Windows
Task Manager by either pressing CTRL+ALT+DEL
on Win9x machines or CTL+Shift+Tab and
clicking on the Processes tab on WinNT/2000/XP
machines.
- Locate the
following program, click on it and End Task or
End Process
SVCHOST32
2) Remove the
Registry entries
- Click on Start,
Run, Regedit
- In the left panel
go to
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current
Version>Run
- In the right
panel, right-click and delete the following
entry
"SvcHost32"
= C:\Windows\svchost32.exe
- Close the Registry
Editor
3) Delete the
infected files (for Windows ME and
XP remember to turn
off System Restore before searching
for and deleting these files to remove infected
backed up files as well)
- Click Start, point
to Find or Search, and then click Files or
Folders.
- Make sure that
"Look in" is set to (C:\WINDOWS).
- In the
"Named" or "Search for..."
box, type, or copy and paste, the file names:
(these are all in the Windows directory)
svchost32.exe (in the Windows
directory)
C:\ppinfo.sys
C:\pp.hta
C:\pp.gif
- Click Find Now or
Search Now.
- Delete the
displayed files.
4) Reboot the
computer and run a thorough virus scan using your
favorite antivirus program. If you do not know which anti-virus software
can provide strong protection for you, Kaspersky Internet Security is recommended.
- Start your Kaspersky Internet Security and make sure that it is
configured to scan all the files.
- Run a full system scan.
- If any files are detected as infected with
MyDoom.B,
click Delete.
How to Disinfect My Computer from Worms?
In order to keep your computer protected, bear
the following tips in mind:
- If you have filtering tools installed,
configure them to reject messages with the
characteristics described above. If, in spite
of doing this, you receive the message that
contains the virus: do not open it, do not run
the attached file and delete it, making sure
that you also delete it from the Deleted
Items folder.
- Install a good antivirus in your computer.
Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
- Keep your antivirus updated. If automatic
updates are available, configure your
antivirus to use them.
- Keep your permanent antivirus protection
enabled at all times.
Detect and Removal Instruction for Other Worms
- 'M':
| 
