Virus Characteristics
-- Update 19th November 2003 --
Due to an decrease in prevalence, the risk assessment of this threat has been lowered to Low-Profiled.
--
-- Update 14th November 2003, 4:26 PST --
Due to an increase in prevalence, the risk assessment of this threat has been raised to Medium.
--
This new variant of W32/Mimail.gen@MM
attempts to steal credit card information by displaying a fake PayPal message as shown below. The user's information is stored in a file named ppinfo.sys
, which is sent to four email addresses, hard-coded in the worm. (Access to these mailboxes is in the process of being blocked).
The worm constructs email messages using its own SMTP engine. As with previous variants, the mailing routine queries the mail server for the domain related to the target (harvested) address. This is determined via an MX lookup on the target domain. Messages are then sent through that SMTP server.
This worm is received in an email message as follows:
From:
"PayPal.com" donotreply@paypal.com
Subject:
YOUR PAYPAL.COM ACCOUNT EXPIRES
Dear PayPal member,
PayPal would like to inform you about some important information regarding your PayPal account. This account, which is associated with the email address
recipient email-address
will be expiring within five business days. We apologize for any inconvenience that this may cause, but this is occurring because all of our customers are required to update their account settings with their personal information.
We are taking these actions because we are implementing a new security policy on our website to insure everyone's absolute privacy. To avoid any interruption in PayPal services then you will need to run the application that we have sent with this email (see attachment) and follow the instructions. Please do not send your personal information through email, as it will not be as secure.
IMPORTANT! If you do not update your information with our secure application within the next five business days then we will be forced to deactivate your account and you will not be able to use your PayPal account any longer. It is strongly recommended that you take a few minutes out of your busy day and complete this now.
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This mail is sent by an automated message system and the reply will not be received.
Thank you for using PayPal.
Attachment:
(one of the following):
- www.paypal.com.scr
- paypal.asp.scr (may be seen via seeding of the worm)
When the attachment is run, the following Window is displayed:
Mail Propagation
The worm emails itself to addresses found on the infected computer. Target email addresses are harvested from files on the victim's machine. The worm ignores address extraction from files that contain the following extensions:
- avi
- bmp
- cab
- com
- dll
- exe
- gif
- jpg
- mp3
- mpg
- ocx
- pdf
- psd
- rar
- tif
- vxd
- wav
- zip
Target folders are determined by querying the following Registry key:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Shell Folders
Credit Card Information Stealing
Victims of the PayPal scam will have their credit card information collated into C:\PPINFO.SYS. The worm then attempts to send this data to four email addresses encrypted in its body.
- mystics@mail15.com
- need4cc@mail15.com
- nakayamo@centrum.cz
- cccash@centrum.cz
Thus, outgoing DNS queries to these servers will be issued from the victim machine.