Search Solo Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info SRN Micro Privacy Statement

 


SVCHOST32.EXE PROCESS INFORMATION

Process Name  : Svchost32.exe

Process Path : %WINDOWS%\svchost32.exe [ C:\Windows\svchost32.exe ]

Process type    : Internet Worm

Malware Name :W32.Mimail.J@mm

Alias             : I-Worm/Mimail.J, W32/Mimail-J, W32/Mimail.J@mm, WORM_MIMAIL.J, Mimail.I

Threat level : Low

Process Details :

                     Svchost32.exe is the main component dropped by Mimail.J. It is a modified variant of Mimail.I worm. It attempts to steal credit card and personal information from the infected user. Mimail.J worm arrives as an e-mail attachment. It collects e-mail addresses stored in the local hard disk to distribute infected messages.

                     Mimail.J infected attachment name will be "www.paypal.com.pif" or "InfoUpdate.exe". The infected mail sample is given below.

From: Do_Not_Reply@paypal.com
Subject: IMPORTANT <random characters> or Problems with your PayPal account.

Dear PayPal member,

We regret to inform you that your account is about to be expired in next five business days. To avoid suspension of your account you have to reactivate it by providing us with your personal information. 

To update your personal profile and continue using PayPal services you have to run the attached application to this email. Just run it and follow the instructions. 

IMPORTANT! If you ignore this alert, your account will be suspended in next five business days and you will not be able to use PayPal anymore. 

Thank you for using PayPal. 
<random characters>

                     When the infected attachment is executed, it copies itself to svchost32.exe in Windows folder. It also drops pp.gif, pp.hta in C:\ folder. Mimail.J collects e-mail addresses in the local system and stores it in a file el388.tmp. After checking the Internet connection, Mimail.J sends infected messages to all the e-mail addresses stored in el388.tmp. The worm uses its own SMTP engine to send infected messages.

                     Mimail.J modifies registry run section to load automatically on the next startup. The registry modification is given below.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"SvcHost32"= C:\%Windows%\svchost32.exe


                     Mimail.j displays fake paypal window and requests the user to enter Credit card number, pin number, social security number and personal details in the window. When the user typed and confirmed the information, it stores it in a file PPINFO.SYS. Then it attempts to send the information to predefined e-mail addresses given in the worm. Mimail.J variant appeared on 17th November 2003.

How can I protect my system?

                   Solo has incorporated svchost32.exe in its signature file to protect users from this Worm attack. Solo antivirus registered users are already protected from this Worm. Make sure that you have installed registered version of Solo Antivirus to protect your system from all virus threats.

How to remove this Worm?

                   If you are already infected with svchost32.exe process, you can remove it from your computer using Solo Antivirus software. Use the following link to Download 30 day trial version of Solo antivirus to remove viruses from your computer.

                   Solo anti-virus not only scans for all viruses, it contains a unique System Integrity Checker to protect you from New Internet Worms, Backdoors and malicious VB, Java Scripts. It also effectively removes all existing Internet Worms, File viruses, malicious VB, Java scripts, Trojans, Backdoors, boot sector, partition table and macro viruses.

You can purchase Solo antivirus using the link