PC Hell: MiMail.I Worm Virus Removal Instructions

How to Remove MiMail.I worm virus

What is the MiMail.I Worm?

MiMail.I and MiMail.J are mass mailing worms that attempts to steal credit card information. They masquerade as a PayPal Secure Application email similar to the following

Subject: YOUR PAYPAL.COM ACCOUNT EXPIRES
Attachment: paypal.asp.scr or www.paypal.com.scr
Message:

Dear PayPal member,

PayPal would like to inform you about some important information regarding your PayPal account. This account, which is associated with the email address

<address>

will be expiring within five business days. We apologize for any inconvenience that this may cause, but this is occurring because all of our customers are required to update their account settings with their personal information.

We are taking these actions because we are implementing a new security policy on our website to insure everyone's absolute privacy. To avoid any interruption in PayPal services then you will need to run the application that we have sent with this email (see attachment) and follow the instructions. Please do not send your personal information through email, as it will not be as secure.

IMPORTANT! If you do not update your information with our secure application within the next five business days then we will be forced to deactivate your account and you will not be able to use your PayPal account any longer. It is strongly recommended that you take a few minutes out of your busy day and complete this now.

DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This mail is sent by an automated message system and the reply will not be received.

Thank you for using PayPal.

How Does MiMail.I Worm Infect My System?

It creates a file named svchost32.exe in the Windows directory along with a temporary file and adds the following registry key to the system.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run

"SvcHost32" = C:\Windows\svchost32.exe

Then it displays the following screen to try to steal credit card information

paypalmimail.gif (19892 bytes)

It then stores this information in the file c:\ppinfo.sys and sends this information to four predetermined addresses. After sending the information, it searches for email addresses in the cached internet files on the computer and saves these addresses to the file c:\windows\el388.tmp. It mass mails the virus to these addresses.

How Can I Remove the MiMail.I worm?

Follow these steps in removing the MiMail.I worm.

1) Terminate the running program

Open the Windows Task Manager by either pressing CTRL+ALT+DEL on Win9x machines or CTL+Shift+Tab and clicking on the Processes tab on WinNT/2000/XP machines.
Locate the following program, click on it and End Task or End Process

SVCHOST32

Close Task Manager

2) Remove the Registry entries

Click on Start, Run, Regedit
In the left panel go to

HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run

In the right panel, right-click and delete the following entry

"SvcHost32" = C:\Windows\svchost32.exe

Close the Registry Editor

3) Delete the infected files (for Windows ME and XP remember to turn off System Restore before searching for and deleting these files to remove infected backed up files as well)

Click Start, point to Find or Search, and then click Files or Folders.
Make sure that "Look in" is set to (C:\WINDOWS).
In the "Named" or "Search for..." box, type, or copy and paste, the file names: (these are all in the Windows directory)
svchost32.exe (in the Windows directory)
C:\ppinfo.sys
C:\pp.hta
C:\pp.gif
Click Find Now or Search Now.
Delete the displayed files.