A new email worm is spreading on the Internet and posing as a message from PayPal, the online payment company, in an effort to harvest credit card numbers and account passwords, leading antivirus companies have warned.
W32/Mimail-I is a new version of the Mimail worm, which first appeared in August, and is believed to be the first email worm specifically designed to steal personal financial and account information, an online crime known as "phishing."
Mimail-I first appeared late last week in what antivirus experts believe was a massive email "seeding", in which unsolicited commercial email ("spam") programs are used to distribute messages containing the virus attachment, according to Craig Schmugar, a virus research engineer at McAfee Anti-Virus Emergency Response Team, or AVERT, which is part of Network Associates.
Like earlier editions of Mimail, the I-variant can also spread by itself.
The worm contained its own Simple Mail Transfer Protocol (SMTP) email engine and harvested email addresses from victims' computers, Schmugar said.
Unlike earlier versions of Mimail, the new variant contains a message that tells recipients that their PayPal account will soon expire and that they need to re-enter their credit card information through "our secure application," referring to the executable file attached to the e-mail message.
When users click on the file attachment, the worm opens a window on their desktop that displays the PayPal logo and contains fields for entering their PayPal account password and credit card information, senior security analyst at Sophos, Chris Belthoff, said.
PayPal is owned by online auction giant eBay and is a frequent target of online scams.
Information that is entered into the fields is sent to four email accounts belonging to Internet domains in the Czech Republic, Schmugar said.
Typically, phisher scams use spam email to drive unwitting Internet users to phony Web sites, where their information was captured, Belthoff said.
In July, the US Federal Bureau of Investigation (FBI) and Internet service provider, EarthLink, warned about a spike in such scams since the beginning of 2003.
Coupling such scams with a self-spreading email worm was a new twist and probably designed to increase the number of potential victims exposed to the scam, Belthoff said.
However, the new worm's similarity to earlier versions of email, coupled with the suspicious attachment and loose spelling probably mean that Mimail-I will not create a large number of new identity theft victims, experts agreed.
Reports of the worm spreading were trailing off by last Friday.
Email users who were worried about exposure to the new worm should update their antivirus definitions immediately and consult with their antivirus vendor for instructions on removing Mimail from infected machines, experts said.