A new Mimail variant on the loose bares a striking resemblance to its brethren.
Mimail-J seems to be gaining some traction. Symantec Security Response has upgraded the worm to a Category 3 (out of five) threat. F-Secure Corp. has it as a Level 2 risk. U.K.-based e-mail filtering outsourcer MessageLabs intercepted more than 25,000 copies of it between Monday and 9 a.m. EST today.
Mimail-J tries, like Mimail-I, to get recipients to give up credit card details, but it goes one step further, asking for a Social Security number and the recipient's mother's maiden name.
The e-mail message carrying the worm has the following characteristics:
Subject: "IMPORTANT" or "Problems with your PayPal account"
Dear PayPal member,
We regret to inform you that your account is about to be expired in next five business days. To avoid suspension of your account you have to reactivate it by providing us with your personal information.
To update your personal profile and continue using PayPal services you have to run the attached application to this email. Just run it and follow the instructions.
IMPORTANT! If you ignore this alert, your account will be suspended in [the] next five business days and you will not be able to use PayPal anymore.
Thank you for using PayPal.
Attachment: "www.paypal.com.pif" or "InfoUpdate.exe"
When infecting a system, the worm drops copies of itself in the Windows folder with names such as SvcHost32.exe and ee98af.tmp. It also generates bogus PayPal files in the root directory of the infected computer, with the filenames "pp.hta" and "index2.hta." It is these files that pop up looking like Web pages, asking for sensitive information.
Administrators should block the file-extension types used by Mimail because, for the most part, they have no legitimate business functions and are favorite vehicles of malicious code.