|The Mimail-I worm tries to fool you into entering
your credit card information
Sophos, a world leader in anti-virus and anti-spam protection
for businesses, is warning of a new variant of the Mimail worm,
which is spreading widely.
The new worm, named W32/Mimail-I, arrives in
an email with a subject line of "YOUR PAYPAL.COM ACCOUNT EXPIRES",
and asks you to provide detailed information about your credit
card, claiming that PayPal "are implementing a new security
The email tells you not to send your personal information
through email (ironically, correctly advising you that email is
insecure) and instructs you to run the attached program
If you run the program, attached in a file called
"www.paypal.com.scr", a dialog box pops up requesting you to enter
a range of information about your credit card. This includes your
full credit card number, your PIN, the expiry date, and even the
so-called CVV code (this is an additional three-digit security code
printed on the back of your card which is not recorded by credit
card machines during transactions). The dialog includes a PayPal
logo in a further attempt to appear legitimate.
"Mimail-I tries to harvest your bank card data and then sends it
out to the bad guys in an email," explained Paul Ducklin, head of
technology, Asia Pacific, at Sophos. "It even includes a
realistic-looking checkbox which you are expected to tick in order
to confirm that the details you have entered are correct."
"But the email sent to you by Mimail-I could never be
legitimate," Ducklin points out. "Banks and credit card companies
never request information of this sort via email, just as computer
security companies never send out patches this way. Email is simply
not secure enough for transactions of this type."
As well as stealing bank information, Mimail-I sends itself to
everybody whose email addresses appear on the user's hard disk.
This is likely to generate a lot more email traffic than computer
users may have bargained for.
Sophos offers the following advice:
- Don't act on web links or attachments sent to you in emails
which claim to come from banks or financial companies. The apparent
source of an email is too easily forged.
- Block all Windows programs and files (EXE, DLL, SCR, BAT, PIF,
CMD, etc.) at your email gateway if you can. Because of the
associated risks, there is almost no business case for distributing
programs by email.
- Filter outbound email with a product such as Sophos PureMessage or Sophos MailMonitor before it leaves your
network. This is good "internet citizenship", because it limits the
collateral damage you can do to the internet even if you become
- Update your anti-virus software regularly and frequently so you
can identify the latest threats accurately. Using a product (such
as Sophos Enterprise Manager) which can
automate updates takes the stress and uncertainty out of the