Viruses are no longer the domain of the bored or technically challenged. Instead, virus writers seem to be increasingly moving towards using their creations to commit traditional forms of crime. Where worms such as Sobig were presumably used for spam purposes, the recent rash of Mimail worms have an even more insidious purpose.
The newest entry to the virus crime scene is Mimail.J, which attempts to dupe users into divulging their credit card details and other personal information. This information may have designs beyond simple credit card theft. Armed with collected information ranging from social security numbers to mother's maiden name, Mimail.J is capable of being used for identity theft as well.
Mimail.J was discovered on November 17, 2003. Its predecessor, Mimail.I, was discovered on November 14th. Both worms use the PayPal name to dupe users into releasing personal financial information. Email scams claiming to be from PayPal or eBay are common occurances on the Internet, though having a worm spread the scam is unusual.
The Mimail.J email carries an attachment named either InfoUpdate.exe or www.paypal.com.pif. By default, Windows does not display the real extension, thus users might be tricked into believing that www.paypal.com.pif is www.paypal.com and mistakenly assume it is a web site address. Ensure file extension viewing is enabled to prevent being taken by this ruse.
The Mimail.J email appears as one of the following:
- Subject: Problems with your PayPal account.
Attachment: InfoUpdate.exe
Message body:
Dear PayPal member,
We regret to inform you that your account is about to be expired in next five business days. To avoid suspension of your account you have to reactivate it by providing us with your personal information.
To update your personal profile and continue using PayPal services you have to run the attached application to this email. Just run it and follow the instructions.
IMPORTANT! If you ignore this alert, your account will be suspended in next five business days and you will not be able to use PayPal anymore.
-or-
From: Do_Not_Reply@paypal.com
Subject: Important (several blank spaces followed by random letters)
Attachment: www.paypal.com.pif
Symptoms of infection
Mimail.E creates two files in the Windows directory:
- svchost32.exe
- ee98af.tmp
Mimail.J edits the following key in the system Registry to load the infected svchost32.exe on system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
is edited to add:
"SvcHost32" = C:\%windir%\svchost32.exe
Mimail.J then displays a window titled "PayPal Secure Application" which prompts the user to enter their credit card number, CCV code, and expiration date, as well as other personal details including name, Social Security number, mailing address, date of birth, and mother's maiden name. Such information is saved to a file named ppinfo.sys and sent to a remote location. Mimail.J then mass-mails itelf to others, using email addresses harvested from files on the hard drive.
Mimail.J uses its own SMTP engine to send the infected mail, thus sent copies of the Mimail email will not appear in the Sent folder of the email client.
To manually remove Mimail.J from an infected system, remove the SvcHost32 Registry edit made by the worm and delete the dropped/created files. Antivirus software updated after Mimail.J's discovery should also be able to detect and remove the worm.
