Mimail.I
Latest Variant Disguised
as PayPal Expiration Notice
14 November 2003
About the Virus
Since we first alerted you to Mimail.C, the virus has undergone many variations -- but none as successful as the latest, Mimail.I. This newest variant disguises itself as an expiration notice from PayPal asking you to update your account's credit card information. Ironically, the virus even warns you never to send credit card information over e-mail for security reasons. However, if you run Mimail.I's attachment, it ignores its own advice by forwarding your credit card details to four of the author's e-mail addresses and broadcasting itself to all your friends and contacts.
Distinguishing Characteristics
As with past Mimail variants, you can easily spot this virus because it always uses the same From address, Subject, Body and Attachment:
From:"PayPal.com" donotreply@paypal.com
Subject:YOUR PAYPAL.COM ACCOUNT EXPIRES
Dear PayPal member,
PayPal would like to inform you about some important information regarding your PayPal account. This account, which is associated with the email address will be expiring within five business days. We apologize for any inconvenience that this may cause, but this is occurring because all of our customers are required to update their account settings with their personal information. We are taking these actions because we are implementing a new security policy on our website to insure everyone's absolute privacy. To avoid any interruption in PayPal services then you will need to run the application that we have sent with this email (see attachment) and follow the instructions. Please do not send your personal information through email, as it will not be as secure. IMPORTANT! If you do not update your information with our secure application within the next five business days then we will be forced to deactivate your account and you will not be able to use your PayPal account any longer. It is strongly recommended that you take a few minutes out of your busy day and complete this now. DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This mail is sent by an automated message system and the reply will not be received. Thank you for using PayPal
Attachment: www.paypal.com.scr (sometimes also paypal.asp.scr)
If you execute Mimail's attachment, the worm adds the file svchost32.exe to your Windows directory and adds a registry entry ensuring that the file restarts whenever your machine reboots. The worm then searches for e-mail addresses within many different file types on your machine. After collecting all the addresses, Mimail uses its own SMTP engine to e-mail itself to them.
To trick you into giving away your credit card information, the worm displays the PayPal popup window shown in McAfee's alert. If you fill out the popup with your credit card details, Mimail creates a file called ppinfo.sys on your C: drive and sends that file to four hard-coded e-mail addresses belong to the virus author. At the time of this writing, anti-virus vendors were in the process of shutting down the e-mail addresses in question.
What you can do
§ As always, remind your users never to open unexpected attachments from any source. Inform them that most modern viruses falsify the "From" field and appear to come from friends, co-workers and third parties. Any e-mail that asks for credit card information is suspect. Be careful, and verify with vendors before giving out your credit card details.
§ Most major anti-virus vendors already have signatures that detect Mimail.I. Check with your vendor for the latest update.
Full Version: WARNING!! Paypal E-Mail Fraud/Virus
Send any suspect PayPal email to spoof@paypal.com. They'll let you know if it's legit or not.
Same with Ebay: spoof@ebay.com.
I got one from "PayPal" last week that was not a virus, but was a scam to get my credit card number, and a coworker got one from "Ebay" that was a scam to get her Ebay password.
Thanks for the warning on this new one.
Same with Ebay: spoof@ebay.com.
I got one from "PayPal" last week that was not a virus, but was a scam to get my credit card number, and a coworker got one from "Ebay" that was a scam to get her Ebay password.
Thanks for the warning on this new one.
This is old news. I've been receiving two or three ebay or paypal "update your information" spams per week for a year now.
Maybe it's old news to you. Although I'd certainly heard of it before, the email I got last week was the first one I'd seen.
It's never a bad idea to warn people about stuff like this. Just because you know about it doesn't mean everyone else does.
It's never a bad idea to warn people about stuff like this. Just because you know about it doesn't mean everyone else does.
Just happened to get the PayPal one last night. It had the .exe file.
Really wanted to reply with
but deleted it instead & put a block on the sender.
bruce
Really wanted to reply with
but deleted it instead & put a block on the sender.
bruce
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.