New Worm's No Pal, Could Make You Pay

Dubbed MiMail.I by most security professionals--but tagged as MiMail.H by Symantec--the new worm masquerades as an e-mail from PayPal, the e-payment system often used to pay for purchases on online auction sites, such as eBay.

The bogus PayPal message, which looks alarmingly legitimate, carries the subject of 'Your PayPal.com account expires,' and then asks the recipient to enter the credit-card number associated with his PayPal account.

"If you do not update your information with our secure application within the next five business days then we will be forced to deactivate your account and you will not be able to use your PayPal account any longer," the fake message reads.

A pop-up window then appears on the user's screen, showing a form with fields for entering the credit-card number, the PIN associated with the card, and the card's three-digit security code.

If users enter credit card data, the MiMail worm encapsulates it in a file and transmits it to one of four e-mail addresses, all of which are hard-coded in the worm. Two of the addresses lead to Moscow, Russia, while the remaining pair head for the Czech Republic.

According to Craig Schmugar, a virus research engineer with Network Associates, these addresses are in the process of being closed down.

Other security experts noted that MiMail, which most recently bombarded e-mail users with worms tucked into compressed .zip files--a tactic intended to take advantage of the fact that many organizations and users assumed .zip files were safe--is one of the more aggressive malicious code attacks of the year.

Worse, MiMail.I underscores a new trend, in which hackers are moving away from notoriety as their goal to one of criminal gain.

"This is an increasing trend and an alarming one," said Ken Dunham, an analyst with iDefense, a Reston, Va.-based security-intelligence firm. "Identity theft is a growing problem, with the market for stolen credit cards emerging worldwide."

Not the first concentrated, organized attack to go after ill-gotten gains--Sobig, which ran rampant from January to August, was another--MiMail.I is particularly dangerous because of its past history.

On Halloween, an earlier variant of MiMail debuted, and was quickly followed by no less then five more variants in the span of just three days.

"Brace yourself," said Dunham. "We'll likely see more variants of this attack in the very near future."

Most anti-virus vendors have scrambled to release updated definition files to account for MiMail.I, and have also upgraded their threat assessments of the new worm.

Network Associates, for instance, ratcheted up its risk level for MiMail.I from "low" to "medium" on Friday to account for the overnight surge in the worm; Symantec ranked it as a "2" in its 1-to-5 scale.

But MiMail.I may have already run its course, said Network Associates' Schmugar. "The traffic has dramatically dropped off since earlier this morning," he said.

This story courtesy of TechWeb .