Meet the new Mimail worm, same as the old Mimail worm -- sort of.
The 14th variant of the Mimail worm surfaced Wednesday afternoon, and this one carries much of the same poison as previous variants. Namely, it phishes for sensitive user information, like credit card and Social Security numbers. The new variant also uses a phony PayPal data entry form.
This one, however, doesn't try to scare PayPal customers into forking over their information. Instead, Mimail-P promises a prize for the New Year -- the addition of 10% to a customer's PayPal account.
PayPal is a service, owned by online auction site eBay, that enables people to send money online.
Virus experts said this morning that Mimail-P has failed to spread as well as other variants. Vincent Gullotto, vice president of McAfee's Antivirus Emergency Response Team (AVERT), said Mimail-P may have looked too much like a spam message to tempt users into opening it. Also, e-mail administrators may be on to Mimail's social engineering.
"In corporate environments, it's especially true with a particular family [of worms] where we've had so many variants in the last six months, that administrators look for what they can block and set up content filtering," Gullotto said. "It's hit or miss really. The social engineering may not be what the author intended. And, more people are learning not to double-click something without scanning it first."
Mimail-P is attached to an e-mail with the subject line "Great New Year Offer from PayPal.com." The worm is packed in a .zip file called pp-app.zip, and it is spreading on Windows machines, via a self-contained SMTP mailing engine, to e-mail addresses found on the victim's hard drive.
If the worm detects a network connection upon execution, a browser-based PayPal form is displayed that asks for credit card, CVV (card validation value) and personal identification numbers, as well as the recipient's name and address and Social Security number. Once the data is entered, it is sent to a remote Russian Web site.
If no network connection is detected, the worm changes the infected PC's Internet Explorer homepage to a Web site that contains a satirical picture of President Bush.
Mimail-P drops a copy of itself into the Windows folder, in files called ee98af.tmp and winmgr32.exe. It also changes the registry key to HKLMSoftwareMicrosoftWindowsCurrentVersionRunWinMgr32, so the worm will run each time the computer starts up.
It also creates a zipped copy of itself named zipzip.tmp in the Windows folder and stores the phony PayPal forms as "index.hta" and "index2.hta" in the root folder.
"It's not taking off at all," said Mikko Hypponen, manager of antivirus research for Finland-based F-Secure Corp. "If it was it would have already."
There seems to be a bug within the worm that has also contributed to its lack of traction, Hypponen said. "It probably lies in the worm's mailing routine, which is a bit more complex than past variants."I would not be surprised to see a new better version of the worm in a day or two," Hypponen said.
Other Mimail variants, like Mimail-I, have also phished for sensitive information. During the recent holiday season, phishing attacks were rampant, according to the Anti-Phishing Working Group. During December, more than 60 phishing e-mail fraud attacks were launched and more than 60 million fraudulent e-mail messages sent.
PayPal and eBay customers were the biggest targets; they were the subjects of 24 unique e-mail attacks launched in November and December, the Anti-Phishing Working Group said. Other online financial institutions, like Visa, were also targeted.
The Anti-Phishing Working Group estimates that 5% of users fall for phishing attacks because the messages look "official," leaving themselves open to financial loss and identity theft. For online businesses, sometimes irreparable damage is done to reputation and credibility.
FEEDBACK: Are phishing attacks like Mimail-P a nuisance or a legitimate concern to your enterprise?
Send your feedback to the SearchSecurity.com news team .