E-mail worm masquerades as PayPal message

An e-mail worm is posing as a message from online payment company PayPal in an effort to harvest credit card numbers and account...

An e-mail worm is posing as a message from online payment company PayPal in an effort to harvest credit card numbers and account passwords.

W32/Mimail-I is a new version of the Mimail worm, which first appeared in August, and is believed to be the first e-mail worm specifically designed to steal personal financial and account information, an online crime known as "phishing".

Mimail-I first appeared late last week in what antivirus experts believe was a massive e-mail "seeding", in which unsolicited commercial e-mail programs are used to distribute messages containing the virus attachment, according to Craig Schmugar, a virus research engineer at McAfee Anti-Virus Emergency Response Team (Avert), which is part of Network Associates.

Like earlier editions of Mimail, the I-variant can also spread by itself. The worm contains its own SMTP (Simple Mail Transfer Protocol) e-mail engine and harvests e-mail addresses from victims' computers.

Unlike earlier versions of Mimail, the latest variant contains a message which tells recipients that their PayPal account will soon expire and that they need to re-enter their credit card information through "our secure application", referring to the executable file attached to the e-mail message.

When users click on the file attachment, the worm opens a window on their desktop that displays the PayPal logo and contains fields for entering their PayPal account password and credit card information.

Information entered into the fields is sent to four e-mail accounts belonging to internet domains in the Czech Republic, Schmugar said.

Chris Belthoff, senior security analyst as Sophos, said phisher scams tend to use spam e-mail to drive unwitting internet users to phony websites where their information is captured.

In July, the FBI and Internet service provider EarthLink warned there had been a rise in such scams since the beginning of this year.

Coupling such scams with a self-spreading e-mail worm is a new twist and is probably designed to increase the number of potential victims exposed to the scam, Belthoff said.

However, experts agreed that the new worm's similarity to earlier versions of e-mail, coupled with the suspicious attachment and loose spelling probably mean that Mimail-I is unlikely to create a large number of new identity theft victims.

E-mail users who are worried about exposure to the new worm should update their antivirus definitions immediately and consult with their antivirus supplier for instructions on removing Mimail from infected machines.

PayPal is owned by online auction giant eBay and is a frequent target of online scams.

Paul Roberts writes for IDG News Service

Read more on E-commerce technology