W32/Mimail.I@mm & W32/Mimail.J@mm

18 November 2003

Mimail.I and Mimail.J are the two newest variants of the Mimail mass mailing worm that has appeared in various incarnations since late last summer. These two variants are very similar and contain virtually the same code as their predecessors. The main difference being the method and intent of these variants. Mimail.I and Mimail.J attempt to fool users into giving up their credit card details and are therefore a direct attempt at illicit financial gain.

Mimail.I and Mimail.J both arrive in e-mails purporting to be from PayPal and asking users to submit their credit card details and pin number via a dialogue box that appears when the infectious attachment is run. Simultaneously the user's computer is infected and the worm harvests e-mail addresses stored on the infected computer's hard drive in order to spread itself further. Once the information has been submitted it is sent to four different e-mail addresses. Access to these accounts has been blocked.

The dialogue box that is displayed is designed to look very similar to the PayPal website in order to increase the likelihood of users being fooled and thereby voluntarily submitting this sensitive information. The difference between the two variants, however, lies in what information they attempt to retrieve. In addition to the credit card information also requested by Mimail.I, Mimail.J asks users to submit more personal information such as social security number and mother's maiden name.

Recommended Reactions

Users are advised to update their virus signature files and make sure they have the latest versions of F-Prot Antivirus installed on their computers.

After updating the virus signature files, users should scan their whole system with the F-Prot Antivirus OnDemand scanner to ensure that their computer security was not compromised before the virus signature files were updated.

For more information on this worm and disinfection please visit our virus information section.

Threat Description

The e-mail carrying the Mimail.I and Mimail.J worms arrive in minor variations on the following:

    From: PayPal.com
    To:<E-mail address of the recipient>

    Dear PayPal member,

    PayPal would like to inform you about some important information regarding your PayPal account. This account, which is associated with the email address

    <E-mail address of the recipient>

    will be expiring within five business days. We apologize for any inconvenience that this may cause, but this is occurring because all of our customers are required to update their account settings with their personal information.

    We are taking these actions because we are implementing a new security policy on our website to insure everyone's absolute privacy. To avoid any interruption in PayPal services then you will need to run the application that we have sent with this email (see attachment) and follow the instructions. Please do not send your personal information through email, as it will not be as secure.

    IMPORTANT! If you do not update your information with our secure application within the next five business days then we will be forced to deactivate your account and you will not be able to use your PayPal account any longer. It is strongly recommended that you take a few minutes out of your busy day and complete this now.

    DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This mail is sent by an automated message system and the reply will not be received.

    Thank you for using PayPal.

    <random text>

Threat Detection

The latest versions of F-Prot Antivirus detects W32/Mimail.I@mm and W32/Mimail.J@mm using virus signature files dated 17 November 2003 or later.

Commtouch® is a leading developer of anti virus software and anti spam filtering services. Commtouch's anti virus computer software, F-PROT Antivirus, is available for a number of operating systems such as Windows, Linux, BSD, Solaris, and AIX as well as the Microsoft Exchange groupware.

2014 © CYREN · Privacy Statement