By Robert Vamosi
Phoney PayPal e-mail is MiMail.j worm
(11/18/03)
The latest e-mail worm disguises itself as a message from online payment service PayPal. MiMail.j (w32.mimail.j@mm) is the ninth variant of the MiMail virus family and could compromise your security online. The e-mail states that your PayPal account is about to expire and asks that you update your credit card number along with other sensitive information, such as your mother's maiden name. It does not infect Linux, Mac, or Unix OSs. Because MiMail.j spreads via e-mail and may compromise your personal security, this worm rates a 4 on the CNET Virus Meter.
How it works
MiMail.j arrives as e-mail from Do_Not_Reply@paypal.com. The subject line reads: "IMPORTANT." The body text reads:
Dear PayPal member,
We regret to inform you that your account is about to be expired in next five business days. To avoid suspension of your account you have to reactivate it by providing us with your personal information. To update your personal profile and continue using PayPal services you have to run the attached application to this email. Just run it and follow the instructions.IMPORTANT! If you ignore this alert, your account will be suspended in next five business days and you will not be able to use PayPal anymore. Thank you for using PayPal.
The attached filename is either www.paypal.com.pif or InfoUpdate.exe. .
What to look for
MiMail.j copies the files svchost32.exe and ee98af.tmp to the Windows subfolder. It creates the following Registry entry:
Hkey_local_machine\Software\Microsoft\Windows\CurrentVersion\Run "SvcHost32"="[Windows subfolder]\svchost32.exe"
Removal
A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Computer Associates, F-Secure,
McAfee, Norman, Sophos, Symantec, or Trend Micro.
