A New Version of Mimail Spreads

14 Nov 2003
Virus News


Kaspersky Lab has detected Mimail.i, a new version of the Mimail Internet worm in the wild. Like its predecessors, the latest version of Mimail spreads as an email attachment named paypal.asp.scr. The sender address is fake and appears as donotreply@paypal.com. The subject is also a deliberate attempt to fool the recipient and purports to be information about the user's PayPal account. The subject line reads 'YOUR PAYPAL.COM ACCOUNT EXPIRES'. The body of the letter contains a text in English, which requests the recipient to update their personal PayPal information by using the attached file. The worm gains control over victim machines only if the attachment is opened. If the victim does launch Mimail, the worm opens a dialogue box where it asks for PayPal credit card information. Any data that is entered is saved in a file named ppinfo.sys, which the worm mails to the virus creator. Kaspersky Lab strongly recommends that the Internet community be on the alert for all versions of Mimail. All users are also urged to be wary of attachments in unsolicited mail and to keep their anti-virus databases up to date. A detailed description of Mimail.i is available in the Kaspersky Virus Encyclopedia The defence against Mimail.i has already been added to the Kaspersky anti-virus database.