Phishes and bugs: New worm uses PayPal scam

A new e-mail worm is spreading on the Internet and posing as a message from PayPal, the online payment company, in an effort to harvest credit card numbers and account passwords, leading antivirus companies warned on Friday.

W32/Mimail-I is a new version of the Mimail worm, which first appeared in August, and is believed to be the first e-mail worm specifically designed to steal personal financial and account information, an online crime known as "phishing."

Mimail-I first appeared late Thursday in what antivirus experts believe was a massive e-mail "seeding," in which unsolicited commercial e-mail ("spam") programs are used to distribute messages containing the virus attachment, according to Craig Schmugar, a virus research engineer at McAfee Anti-Virus Emergency Response Team, or AVERT, which is part of Network Associates.

Like earlier editions of Mimail, the I-variant can also spread by itself. The worm contains its own SMTP (Simple Mail Transfer Protocol) e-mail engine and harvests e-mail addresses from victims' computers, Schmugar said.

Unlike earlier versions of Mimail, the new variant contains a message that tells recipients that their PayPal account will soon expire and that they need to re-enter their credit card information through "our secure application," referring to the executable file attached to the e-mail message.

When users click on the file attachment, the worm opens a window on their desktop that displays the PayPal logo and contains fields for entering their PayPal account password and credit card information, according to Chris Belthoff, senior security analyst as Sophos.

PayPal is owned by online auction giant eBay and is a frequent target of online scams.

Information that is entered into the fields is sent to four e-mail accounts belonging to Internet domains in the Czech Republic, Schmugar said. Typically, phisher scams use spam e-mail to drive unwitting Internet users to phony Web sites, where their information is captured, Belthoff said.

In July, the U.S. Federal Bureau of Investigation (FBI) and Internet service provider EarthLink warned about a spike in such scams since the beginning of 2003. 

Coupling such scams with a self-spreading e-mail worm is a new twist and is probably designed to increase the number of potential victims exposed to the scam, Belthoff said.

However, the new worm's similarity to earlier versions of e-mail, coupled with the suspicious attachment and loose spelling probably mean that Mimail-I will not create a large number of new identity theft victims, experts agreed.

Reports of the worm spreading were trailing off Friday, and experts do not expect it to continue spreading over the weekend.

E-mail users who are worried about exposure to the new worm should update their antivirus definitions immediately and consult with their antivirus vendor for instructions on removing Mimail from infected machines, experts said.