Virus authors are using spam e-mails containing a Trojan
horse program to help spread the latest version of the Mimail
e-mail worm.
The latest threat, which targets customers of eBay's PayPal
online payment service, highlights a growing trend in which online
criminals combine computer viruses, spam distribution techniques,
Trojan horse programs and "phishing" scams to circumvent security
technology and fool internet users, said Carole Theriault, security
consultant at Sophos.
Antivirus companies including Sophos and Kaspersky Labs warned
customers about the threat, which arrives in e-mail in-boxes as a
message purporting to come from online payment service PayPal.
The message subject line is "PAYPAL.COM NEW YEAR OFFER" and it
reads: "for a limited time only PayPal is offering to add 10% of
the total balance in your PayPal account to your account and all
you have to do is register yourself within the next five business
days with our application (see attachment)!"
For their computers to be infected, users who open the
compressed Zip file attached to the e-mail must then open a second
file, which installs a Trojan horse program which connects to a
website in Russia and retrieves the latest version of the Mimail
worm, Mimail-N.
Once installed, Mimail-N alters the configuration of Microsoft
Windows so that the worm is launched whenever Windows starts,
harvests e-mail addresses from the computer's hard drive and mails
copies of itself out to those addresses. It also creates fake
PayPal web pages used to prompt the user to enter credit card
numbers and other personal information, according to an alert
issued by Kaspersky Labs.
Information that is harvested is sent to the same Russian site
from which the Mimail worm was retrieved.
The strategy of using a Trojan program to retrieve the virus is
unorthodox, and may be intended to circumvent antivirus products
that have already been updated to spot the new versions of Mimail,
said Theriault.
Trojan horse programs cannot spread on their own, like e-mail or
internet worms, but they do provide a new way to infiltrate a
computer on a network that is using antivirus protection at the
e-mail gateway. If the antivirus product has not been updated to
detect the Trojan program, e-mail messages containing it can slip
by those defences and be opened by users.
The biggest impact of the worm will be on home internet users
who have not installed desktop antivirus or firewall products.
Organisations which use firewalls and desktop antivirus products
should be able to spot the Trojan program once it is installed on
the desktop, or prevent it from connecting to the outside server
and retrieving a copy of the Mimail worm.
Paul Roberts writes for IDG News Service