Randy Bell
Premium
join:2002-02-24
Santa Clara, CA | reply to Link Logger
Re: Heads Up - PayPal infection attempt - New??
See also this sister thread: »W32.Paylap@mm |
|
wilburyan
join:2002-08-01 | reply to ReaperOS2
I clicked on the link, instead of getting the spoofed site I wasn't able to connect to it so my default search thru netscape searched for it for me.... The first 5 hits had the subject "E-mail scam" lol |
|
illukka
Premium
join:2003-04-06
finland | reply to Link Logger
hey great work Vampirefo! any chance of getting a sample? |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
 ·Shaw
| reply to Link Logger
I submitted this virus to a couple of the AV's and McAfee has added it as »vil.nai.com/vil/content/v_100822.htm
As you can see Vampirefo nailed this one rather well. He also mentioned the IP addresses that the virus sends the data to. I didn't want to publish those until I found out if someone was 'watching' those IP addresses as one was in the US. The IP in question are 68.168.160.2 and 62.84.131.172. NOTE full credit to Vamp for nailing this so quick.
I should also note that E-trust nailed it as Win32/Mimail.xariant.worm from the start so it would appear in this case they were ahead of McAfee.
- From McAfee -
This W32/Mimail variant attempts to steal credit card information by displaying a fake PayPal message as shown below. The user's information is stored in a file named ppinfo.sys , which is sent to a remote server.
This worm is received in an email message as follows:
From: "PayPal.com" donotreply@paypal.com
Subject: YOUR PAYPAL.COM ACCOUNT EXPIRES
Dear PayPal member,
PayPal would like to inform you about some important information regarding your PayPal account. This account, which is associated with the email address will be expiring within five business days. We apologize for any inconvenience that this may cause, but this is occurring because all of our customers are required to update their account settings with their personal information. We are taking these actions because we are implementing a new security policy on our website to insure everyone's absolute privacy. To avoid any interruption in PayPal services then you will need to run the application that we have sent with this email (see attachment) and follow the instructions. Please do not send your personal information through email, as it will not be as secure. IMPORTANT! If you do not update your information with our secure application within the next five business days then we will be forced to deactivate your account and you will not be able to use your PayPal account any longer. It is strongly recommended that you take a few minutes out of your busy day and complete this now. DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This mail is sent by an automated message system and the reply will not be received. Thank you for using PayPal
Attachment (one of the following):
paypal.asp.scr
www.paypal.com.scr
When the attachment is run, the following Window is displayed:
See the image at »vil.nai.com/vil/content/v_100822.htm
Mail Propagation
The worm emails itself to addresses found on the infected computer. Target email addresses are harvested from files on the victim's machine. The worm ignores address extraction from files that contain the following extensions:
avi
bmp
cab
com
dll
exe
gif
jpg
mp3
mpg
ocx
pdf
psd
rar
tif
vxd
wav
zip
Symptoms
The following registry key is added to run the virus at startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "SvcHost32" = C:\WINDOWS\svchost32.exe
The worm creates the following files:
c:\pp.gif (paypal icon)
c:\pp.hta (graphical interface)
c:\ppinfo.sys (your credit card details)
c:\WINDOWS\ee98af.tmp (virus body)
c:\WINDOWS\el388.tmp (harvested email addresses)
c:\WINDOWS\svchost32.exe (virus body)
c:\WINDOWS\zp3891.tmp
Note: c:\WINDOWS is just an example of a Windows directory name. The worm does not use this exact name. It simply uses the system WINDOWS directory. d:\WINNT is another example of a Windows directory name.
The worm checks for an active Internet connection by pinging www.akamai.com
Method Of Infection
This virus spreads via email. Manually running the attachment infects the local machine.
Removal Instructions
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Aliases
Name
W32.Paylap@mm (NAV)
--
»www.SonicLogger.com - Logging Software for SonicWall and 3Com
»www.LinkLogger.com - Logging Software for Linksys, Netgear and Zyxel |
|
broknsymetry
What Time Is It And Why?
Premium
join:2003-06-27
THE VOID
clubs:
| reply to Vampirefo
Almost gave me a heart attack when I viewed clipboard4.gif from your zip file. I thought McAfee was really giving me a filtering rule alert for svchost32.exe, ROFLMAO 
--
Some scientist may at last disperse
The mysteries of the universe
But me, I can not even think
Why pork is white and ham is pink
--Ogden Nash |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
| reply to Vampirefo
Fast and good work Vampirefo as it would appear you have nailed it.
Where does it send the information too?
Blake |
|
Vampirefo
Premium,MVM
join:2000-12-11
Huntington, WV
·Comcast
| reply to Link Logger
Ok, you have a new Trojan Dropper, very interesting one, it does a lot of things. It drops pp.gif and pp.hta in root and it runs pp.hta and asks for credit card number, Then it drops ee98af.tmp,and el388.tmp in windows folder. The el388.tmp (copies your e-mail addreses), It then drops a Trojan svchost32.exe in windows folder, then it adds itself to registry.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SvcHost32 = 'G:\WINDOWS\svchost32.exe'
It then records all your e-mail address, contacts, and any e-mail address in any of your folders inbox, sent, deleted then it try's to connect to internet and send all of this information as well as your credit card number.
Here is some pics of what it does.
--
TrojanHunter Stands For Privacy!!!!!!! |
|
catseyenu
Ack Pfft
Premium
join:2001-11-17
Fix East
| reply to Link Logger
query: 211.47.191.125
# ENGLISH
KRNIC is not ISP but National Internet Registry similar with APNIC.
Please see the following end-user contacts for IP address information.
IP Address : 211.47.191.64-211.47.191.127
Network Name : HANINTERNET-LLINE-E2B
Connect ISP Name : HANINTERNET
Connect Date : 20021223
Registration Date : 20030108
[ Organization Information ]
Orgnization ID : ORG265243
Org Name : E2B
State : SEOUL
Address : 8, Samseong-dong , Gangnam-gu
Zip Code : 135-090
[ Admin Contact Information]
Name : SIJUN JIN
Org Name : E2B
State : SEOUL
Address : 8, Samseong-dong , Gangnam-gu
Zip Code : 135-090
Phone : +82-2-3775-0002
E-Mail : DK_SUH@E2B.CO.KR
[ Technical Contact Information ]
Name : SIJUN JIN
Org Name : E2B
State : SEOUL
Address : 8, Samseong-dong , Gangnam-gu
Zip Code : 135-090
Phone : +82-2-3775-0002
E-Mail : DK_SUH@E2B.CO.KR
--------------------------------------------------------------------------------
If the above contacts are not rechable, please see the following ISP contacts
for relevant information or network abuse complaints.
[ ISP IP Admin Contact Information ]
Name : YoungDong Kim
Phone : +82-2-860-8143
Fax : +82-2-852-8535
E-Mail : iservice@haninternet.co.kr
[ ISP IP Tech Contact Information ]
Name : Raeeun Yeo
Phone : +82-2-860-8144
Fax : +82-2-852-8535
E-Mail : ip@haninternet.co.kr
[ ISP Network Abuse Contact Information ]
Name : Sangwon So
Phone : +82-2-860-8002
Fax : +82-2-852-8535
E-Mail : support@haninternet.co.kr
Edit for Korean oops. |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| reply to Link Logger
The email address it was sent to was harvested from our web site as we don't use webmaster@linklogger.com for anything other then inbound email.
Of course the email didn't come from PayPal
Email Header etc.
-------------------------
Return-path:
Envelope-to: 1001040161@mail.golden.net
Delivery-date: Thu, 13 Nov 2003 20:56:43 -0500
Received: from exprod6mx13.postini.com ([12.158.35.153] helo=psmtp.com)
by mail2.int.golden.net with smtp (Exim 4.12)
id 1AKTCV-0004R5-00
for 1001040161@mail.golden.net; Thu, 13 Nov 2003 20:56:43 -0500
Received: from source ([199.166.210.22]) by exprod6mx13.postini.com ([12.158.35.251]) with SMTP;
Thu, 13 Nov 2003 19:56:40 CST
Received: from pcp289634pcs.owngsm01.md.comcast.net ([68.55.140.24] helo=68.55.140.24)
by mail3.int.golden.net with smtp (Exim 4.12)
id 1AKTCO-000Lin-00
for webmaster@linklogger.com; Thu, 13 Nov 2003 20:56:36 -0500
Date: Thu, 13 Nov 2003 20:47:47 -0500
From: PayPal.com
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
Reply-To: donotreply@paypal.com
Organization: None
X-Priority: 1 (High)
To: webmaster@linklogger.com
Subject: YOUR PAYPAL.COM ACCOUNT EXPIRES
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------716A2B1C01688342"
Message-Id:
X-original-rcpt: webmaster@linklogger.com
X-pstn-levels: (S:16.1782 R:95.9108 P:95.9108 M:92.5706 C:96.3115 )
X-pstn-settings: 3 (1.0000:1.0000) r p m c
X-pstn-addresses: from [2310/105]
------------716A2B1C01688342
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Dear PayPal member,
PayPal would like to inform you about some important information regarding your PayPal account. This account, which is associated with this email address will be expiring within five business days. We apologize for any inconvenience that this may cause, but this is occurring because all of our customers are required to update their account settings with their personal information.
We are taking these actions because we are implementing a new security policy on our website to insure everyone's absolute privacy. To avoid any interruption in PayPal services then you will need to run the application that we have sent with this email (see attachment) and follow the instructions. Please do not send your personal information through email, as it will not be as secure.
IMPORTANT! If you do not update your information with our secure application within the next five business days then we will be forced to deactivate your account and you will not be able to use your PayPal account any longer. It is strongly recommended that you take a few minutes out of your busy day and complete this now.
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This mail is sent by an automated message system and the reply will not be received.
Thank you for using PayPal.
------------716A2B1C01688342
Content-Type: application/octet-stream; name="paypal.asp.scr"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="paypal.asp.scr"
--
»www.SonicLogger.com - Logging Software for SonicWall and 3Comhttp://www.LinkLogger.com - Logging Software for Linksys, Netgear and Zyxel |
|
ReaperOS2
Send Me Dvd's
Premium
join:2001-02-27
Round Lake, IL
clubs:
| reply to Link Logger
Hhhmmm. I received a different one today. It is using the web redirect, to make you think you are going to PayPal's website. But it sends you to 211.47.191.125.
The link is below, so do not click on it. You can see where it is being directed to.
For what it's worth, here's the message:
------------------------------------------------------
Status: U
Return-Path:
Received: from microsoft.com ([195.19.105.182])
by albert.mail.atl.earthlink.net (EarthLink SMTP Server) with SMTP id 1akiSG31A3Nl3qU0
for ; Thu, 13 Nov 2003 09:55:26 -0500 (EST)
Date: Thu, 13 Nov 2003 15:14:31 +0000
From: PayPal
Subject: PayPaI officiaI notice
To: ReaperOS2
References:
In-Reply-To:
Message-ID:
Reply-To: PayPal
Sender: PayPal
MIME-Version: 1.0
Content-Type: multipart/related; boundary="----=_NextPart_K19EJ_48GJ9J98J4AK_701B4H"
X-ELNK-AV: 0
------=_NextPart_K19EJ_48GJ9J98J4AK_701B4H
Content-Type: text/html
Content-Transfer-Encoding: 8bit
as follows in 2007 CUD you can't miss it have got let me see... in 1989 nGHJFlq bjlQZilzYHJ Xe
in 1947 in 1899 in 1886 536 in 1988 1 In my view 214 I feel deeply for your sorrow in 1870
Just a moment! to see you in 2005 on that? Lovely day in 1968 mTG to sign here in 1992 I enjoy it... in 1987 be sure I trust you
------=_NextPart_K19EJ_48GJ9J98J4AK_701B4H
Content-Type: image/gif; name="pic.gif"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="pic.gif"
Content-ID:
[Removed pic.gif to limit lenght.]
------=_NextPart_K19EJ_48GJ9J98J4AK_701B4H--
-------------------------------------------------
Later,
Grim
--
DVD Collector;
"I'm already Warped! Do I need the software, too?" |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| I received an email tonight that was obviously bogus and had an attachment which didn't set off McAfee so I'm thinking it must be new. The subject was 'YOUR PAYPAL.COM ACCOUNT EXPIRES' and the body was a follows:
---------------------------
Dear PayPal member,
PayPal would like to inform you about some important information regarding your PayPal account. This account, which is associated with this email address will be expiring within five business days. We apologize for any inconvenience that this may cause, but this is occurring because all of our customers are required to update their account settings with their personal information.
We are taking these actions because we are implementing a new security policy on our website to insure everyone's absolute privacy. To avoid any interruption in PayPal services then you will need to run the application that we have sent with this email (see attachment) and follow the instructions. Please do not send your personal information through email, as it will not be as secure.
IMPORTANT! If you do not update your information with our secure application within the next five business days then we will be forced to deactivate your account and you will not be able to use your PayPal account any longer. It is strongly recommended that you take a few minutes out of your busy day and complete this now.
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This mail is sent by an automated message system and the reply will not be received.
Thank you for using PayPal.
---------------------------
The attachment was named 'paypal.asp.scr' Of course I didn't run it as the scr is a give away and after loading it into a hex editor its a virus. Anyone want a copy for diagnoses send me an IM with your email address.
Blake |
|
