PayPal scam tries to jumpstart Mimail worm

After releasing a version of the Mimail e-mail worm last week, virus authors are using a tool this week to help it spread: spam e-mail containing a Trojan horse program that, once installed, retrieves and installs the worm.

The new threat, which targets customers of eBay’s PayPal online payment service, highlights a growing trend in which online criminals combine computer viruses, spam distribution techniques, Trojan horse programs and “phishing” scams to circumvent security technology and fool Internet users, said Carole Theriault, security consultant at Sophos in Abingdon, England.

Anti-virus companies including Sophos and Kaspersky Labs warned customers Thursday about the new threat, which arrives in e-mail inboxes as a message purporting to come from online payment service PayPal. The message subject line is “PAYPAL.COM NEW YEAR OFFER,” and it reads, in part: “for a limited time only PayPal is offering to add 10% of the total balance in your PayPal account to your account and all you have to do is register yourself within the next five business days with our application (see attachment)!”

For their computers to be infected, users who open the compressed Zip file attached to the e-mail must then open a second file, which installs a Trojan horse program that connects to a Web site in Russia and retrieves the latest version of the Mimail worm, Mimail-N, Theriault said.

Once installed, Mimail-N alters the configuration of Microsoft Windows so that the worm is launched whenever Windows starts, harvests e-mail addresses from the computer’s hard drive and mails copies of itself out to those addresses. It also creates phony PayPal Web pages used to prompt the user to enter credit card numbers and other personal information, according to an alert issued by Kaspersky Labs.

Information that is harvested is sent to the same Russian Internet site from which the Mimail worm was retrieved, Theriault said.

The strategy of using a Trojan program to retrieve the new virus is unorthodox, and may be intended to circumvent anti-virus products that have already been updated to spot the new versions of Mimail, she said.

Trojan horse programs cannot spread on their own, like e-mail or Internet worms, but they do provide a new way to infiltrate a computer on a network that is using anti-virus protection at the e-mail gateway. If the anti-virus product has not been updated to detect the new Trojan program, e-mail messages containing it can slip by those defenses and be opened by users, she said.

The biggest impact of the new worm will be on home Internet users who have not installed desktop anti-virus or firewall products, she said.

Even if users end up falling for the ruse, organizations that use firewalls and desktop anti-virus products should be able to spot the Trojan program once it is installed on the desktop or prevent it from connecting to the outside server and retrieving a copy of the Mimail worm, she said.