PayPal scam tries to jumpstart new Mimail worm

Virus authors are using spam to spread a new version of the Mimail worm 
Story by Paul Roberts
JANUARY 15, 2004 ( IDG NEWS SERVICE ) - After releasing a new version of the Mimail e-mail worm last week, virus authors are using a new tool this week to help it spread: spam e-mail containing a Trojan horse program that, once installed, retrieves and installs the worm. The new threat, which targets customers of eBay Inc.'s PayPal online payment service, highlights a growing trend in which online criminals combine computer viruses, spam distribution techniques, Trojan horse programs and "phishing" scams to circumvent security technology and fool Internet users, said Carole Theriault, security consultant at Sophos PLC in Abingdon, England. 
Antivirus companies including Sophos and Kaspersky Labs Ltd. warned customers today of the new threat, which arrives in e-mail in-boxes as a message purporting to come from online payment service PayPal. The message subject line is "PAYPAL.COM NEW YEAR OFFER" and it reads, in part: "for a limited time only PayPal is offering to add 10% of the total balance in your PayPal account to your account and all you have to do is register yourself within the next five business days with our application (see attachment)!" 
For their computers to be infected, users who open the compressed Zip file attached to the e-mail must then open a second file, which installs a Trojan horse program that connects to a Web site in Russia and retrieves the latest version of the Mimail worm, Mimail-N, Theriault said. 
Once installed, Mimail-N alters the configuration of Microsoft Windows so that the worm is launched whenever Windows starts, harvests e-mail addresses from the computer's hard drive and mails copies of itself out to those addresses. It also creates phony PayPal Web pages used to prompt the user to enter credit card numbers and other personal information, according to an alert issued by Kaspersky Labs. 
Information that's harvested is sent to the same Russian Internet site from which the Mimail worm was retrieved, Theriault said. 
The strategy of using a Trojan horse program to retrieve a virus is unorthodox and may be intended to circumvent antivirus products that have already been updated to spot the new versions of Mimail, she said. 
Trojan horse programs can't spread on their own, like e-mail or Internet worms, but they do provide a new way to infiltrate a computer on a network that's using antivirus protection at the e-mail gateway. If the antivirus product hasn't been updated to detect the new Trojan horse program, e-mail messages containing it can slip by those defenses and be opened by users, Theriault said. 
The new worm will have the biggest impact on home Internet users who have not installed desktop antivirus or firewall products, she said. 
Even if users end up falling for the ruse, organizations that use firewalls and desktop antivirus products should be able to spot the Trojan horse program once it's installed on the desktop or prevent it from connecting to the outside server and retrieving a copy of the Mimail worm, Theriault said.