News 

Mmdload-A, as Sophos is calling it, or small.cz, as Kaspersky names it, arrives as an email with the subject line 'PAYPAL.COM NEW YEAR OFFER' and appears to come from 'do not reply@paypal.com'. The message purports to offer the chance of winning money, to be funneled directly into the recipient's bank account. Of course, you'll have to fill in those details first.

'This is the latest Trojan 'phishing' for personal financial data,' said Carole Theriault, security consultant at Sophos. 'The malicious coders know that not eveyone who receives the email will be a PayPal customer, but similar to the mindset of spammers, if only a few people fall for the ruse, there is an opportunity to drain bank accounts.'

Attached to the message is paypal.exe. It is compressed so that some antivirus products may not be able scan it and fail to pick up the Trojan contained. When run, the Trojan connects to www.aquariumfish.ru and downloads a copy of Mimail-N (in Sophos speak) or p (if you use Kaspersky).

Denis Zenkin, Head of Corporate Communications at Kaspersky Labs, told us: 'We sent an official request yesterday to an ISP that provides osting

ADVERTISEMENT

services to this web-site and they are currently in the process of closing down the address.'

Once downloaded, Mimail scans for email addresses and begins mailing itself on to them using its own SMTP engine. However, it also scans the infected computer for E-Gold and PayPal applications and extracts sensitive information and sends it to a number of addresses that can be accessed by the worm's author.

Zenkin, added that while the spate of Mimail worms have used similar components, they were not by the same hand. 'We are confident the author of Mimail.p is not the same person who made the original Mimail version, because he is now a fugitive from justice.

'Most probably the Mimail.p was created in Russia as the worm uses .ru web-site and .ru e-mail address. However this is not for sure as it is possible that virus-writers from other countries just used these domains.

'Not all of the "Mimail" versions were created in Russia. There are currently 16 of them and only half of them can be traced to learn their origin... There are three main origins of the worm - Russia, France and USA,' we were told.'

Zenkin also added that Mimail.p is being spread initially through infected computers that are being used as proxy email servers to seed the worm. 'The worm was initially distributed using spam-methods, which include open proxies as well. However, the worm also possesses
self-spreading capabilities using the built-in SMTP-engine,' he said.

Kaspersky says the definition file has already been added to its service.

More information is available through the Kapersky and Sophos websites.