The Mimail worm has taken on dangerous new characteristics. The latest variant, Mimail-I, contains an executable attachment that attempts to induce the user into entering credit card information.
The first copies were found late Thursday in Australia and New Zealand, and the worm spread to South Africa and Europe as business and home users began their day. Additional traction was expected as the United States opened for business.
Mimail-I does no system damage, antivirus experts said early this morning, but it harvests potentially sensitive information if the infected attachment is executed and acted upon, and it spreads itself, via a self-contained SMTP engine, to e-mail addresses found on a victim's hard drive.
Mimail-I arrives via e-mail on Windows systems with a subject line that reads: "Your PayPal.com account expires." PayPal is an offshoot of online auctioneer eBay. The service enables users to securely send and receive payments online.
Symantec customers should note that the vendor is referring to this variant as as the Paylap worm.
A lengthy, urgent text message is included that explains that the user's PayPal account is about to expire and failure to act upon the notice will result in the user's account being deactivated.
The worm's attachment file name is "paypal.asp.scr" and, if executed, it displays a fake PayPal application window that asks users to enter their credit card information. The worm then collects the data and saves it in a file called C:ppinfo.sys, pings www.akamai.com to determine whether there is an active Internet connection, then attempts to mail the stolen data to four hard-coded e-mail addresses: email@example.com, firstname.lastname@example.org, email@example.com and firstname.lastname@example.org.
The previous Mimail variant appeared Nov. 3 and attempted to launch a distributed denial-of-service attack against antispam Web sites, leading some experts to deduce a connection between spammers and the worm writer.
"This is a clear attempt to pinch money," said Graham Cluley, senior technology consultant with U.K.-based Sophos PLC.
Cluley said e-mail administrators should be blocking the file-extension types used by Mimail because, for the most part, they have no legitimate business function and are the favorite vehicles of malicious code.
"More and more companies are blocking these dangerous file types. This one has a double-extension, and that alone should set off alarm bells," Cluley said. "However, there are some companies that are not blocking, or have users who break the rules."
Mimail-I's social engineering may trigger some to execute the worm. The worm's writer is capitalizing on the popularity of eBay and the PayPal service. The attached file, in some instances, appears to be a Web address www.paypal.com.scr, which could also induce a user to click on it, thinking it's a hyperlink.
"It looks legitimate, and some may not realize it's an attachment," said Mikko Hypponen, manager of antivirus research for Helsinki, Finland-based F-Secure Corp. "If companies are not blocking these files, they should be. What reason would any [enterprise] have to accept a .scr file or a .pif file?"
FEEDBACK: Are e-mail worms like Mimail a threat or a nuisance to your enterprise?
Send your feedback to the SearchSecurity.com news team.