FRISK Software International

Summary of W32/Mimail.I@mm
Length: 13KB
Discovered: 14 Nov 2003
Definition files: 14 Nov 2003
Risk Level: Low
Infection Method:Mass mailing
Payload: Mimail.I@mm arrives in e-mail purporting to be from PayPal and asking users to submit their credit card details and pin number via a dialogue box that appears when the infectious attachment is run. Once the information has been submitted it is sent to four different e-mail addresses. Access to these accounts has been blocked.
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description

This is a resident mass mailing worm that is upx packed and arrives in the mail disquised as a PayPal notice. is the name of the attachment.
The worm sends itself to those e-mail addresses that it finds on the infected computer.
The subject of these e-mails is "YOUR PAYPAL.COM ACCOUNT EXPIRES".

Technical Description

When executed it copies itself into the windows folder under the name svchost32.exe and adds the value below to the registry so it will be executed on every startup.

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "SvcHost32"="C:\\WINDOWS\\svchost32.exe"

It also puts itself in the windows directory under the name ee98af.tmp

In the root of drive C: it drops two files, pp.hta and pp.gif. Then it runs the hta file. The hta file contains a script that creates a window that imitates a PayPal application. See the following image.

The information entered in these edit boxes are put in a file on drive C: called ppinfo.sys and sends this information to specified e-mail addresses.

The worm goes resident and checks if the user is connected to the internet by sending a DNS query to if it gets reply it will create three threads.

The first thread sleeps for 3 seconds, then it checks if the pp.hta has written any data to the ppinfo.sys file. If not it waits another 3 seconds and checks again until the ppinfo.sys file exists and contains data about the users input(possibly credit card information). Then the worm takes the data and tries to send it out to certain e-mail accounts (that are probably accessible for the author of the worm). After that it deletes the ppinfo.sys file and terminates the thread.

The second thread sleeps for 1 minute before it activates. Then it harvests e-mail addresses from every file but it excludes the files that have the extensions below.


Then it saves them in a file called el388.tmp in the windows directory and terminates the thread.

The third and the last thread sleeps for one minute before activation. Then it waits until the second thread finishes. After that it initializes the e-mail engine, it goes through the gathered e-mails and creates a thread for each e-mail it sends. Therefore it can get much throughput and send the forged e-mails out very quickly. After it has gone through the list of addresses it terminates the thread. It stays resident and prevents deletion of the Svchost32.exe and the el388.tmp files.

The e-mail will look like the text below.

    To:<E-mail address of the recipient>

    Dear PayPal member,

    PayPal would like to inform you about some important information regarding your PayPal account. This account, which is associated with the email address

    <E-mail address of the recipient>

    will be expiring within five business days. We apologize for any inconvenience that this may cause, but this is occurring because all of our customers are required to update their account settings with their personal information.

    We are taking these actions because we are implementing a new security policy on our website to insure everyone's absolute privacy. To avoid any interruption in PayPal services then you will need to run the application that we have sent with this email (see attachment) and follow the instructions. Please do not send your personal information through email, as it will not be as secure.

    IMPORTANT! If you do not update your information with our secure application within the next five business days then we will be forced to deactivate your account and you will not be able to use your PayPal account any longer. It is strongly recommended that you take a few minutes out of your busy day and complete this now.

    DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This mail is sent by an automated message system and the reply will not be received.

    Thank you for using PayPal.

    <random text>

Removal Instructions

If you run the OnDemand Scanner regularly it can be used to disinfect but some viruses, such as Mimail.I@mm, cannot be disinfected in Windows. This is caused by the fact that the virus infects files that Windows uses while running. Thus F-Prot Antivirus cannot access the files to disinfect and it is necessary to disinfect using the DOS scanner (for Windows 95/98/ME) or the Command-line scanner (for Windows NT/2000/XP).

For general disinfection help click here.

Remove this value from the registry.

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "SvcHost32"="C:\\WINDOWS\\svchost32.exe"

Analysis / Description: Ragnar Gisli - Senior virus researcher FRISK Software International

Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:


perComp Verlag
(in German)