Spam with Trojan horse attacks eBay users

Virus authors are using spam e-mails containing a Trojan horse program to help latest version of the Mimail e-mail worm spread.

Virus authors are using spam e-mails containing a Trojan horse program to help spread the latest version of the Mimail e-mail worm.  

The latest threat, which targets customers of eBay's PayPal online payment service, highlights a growing trend in which online criminals combine computer viruses, spam distribution techniques, Trojan horse programs and "phishing" scams to circumvent security technology and fool internet users, said Carole Theriault, security consultant at Sophos.

Antivirus companies including Sophos and Kaspersky Labs warned customers about the threat, which arrives in e-mail in-boxes as a message purporting to come from online payment service PayPal.

The message subject line is "PAYPAL.COM NEW YEAR OFFER" and it reads: "for a limited time only PayPal is offering to add 10% of the total balance in your PayPal account to your account and all you have to do is register yourself within the next five business days with our application (see attachment)!"

For their computers to be infected, users who open the compressed Zip file attached to the e-mail must then open a second file, which installs a Trojan horse program which connects to a website in Russia and retrieves the latest version of the Mimail worm, Mimail-N.

Once installed, Mimail-N alters the configuration of Microsoft Windows so that the worm is launched whenever Windows starts, harvests e-mail addresses from the computer's hard drive and mails copies of itself out to those addresses. It also creates fake PayPal web pages used to prompt the user to enter credit card numbers and other personal information, according to an alert issued by Kaspersky Labs.

Information that is harvested is sent to the same Russian site from which the Mimail worm was retrieved.

The strategy of using a Trojan program to retrieve the virus is unorthodox, and may be intended to circumvent antivirus products that have already been updated to spot the new versions of Mimail, said Theriault.

Trojan horse programs cannot spread on their own, like e-mail or internet worms, but they do provide a new way to infiltrate a computer on a network that is using antivirus protection at the e-mail gateway. If the antivirus product has not been updated to detect the Trojan program, e-mail messages containing it can slip by those defences and be opened by users.

The biggest impact of the worm will be on home internet users who have not installed desktop antivirus or firewall products.

Organisations which use firewalls and desktop antivirus products should be able to spot the Trojan program once it is installed on the desktop, or prevent it from connecting to the outside server and retrieving a copy of the Mimail worm.

Paul Roberts writes for IDG News Service

Read more on IT risk management