W32/Mimail.I@mm & W32/Mimail.J@mm
18 November 2003

Mimail.I and Mimail.J are the two newest variants of the Mimail mass mailing worm that has appeared in various incarnations since late last summer. These two variants are very similar and contain virtually the same code as their predecessors. The main difference being the method and intent of these variants. Mimail.I and Mimail.J attempt to fool users into giving up their credit card details and are therefore a direct attempt at illicit financial gain.

Mimail.I and Mimail.J both arrive in e-mails purporting to be from PayPal and asking users to submit their credit card details and pin number via a dialogue box that appears when the infectious attachment is run. Simultaneously the user's computer is infected and the worm harvests e-mail addresses stored on the infected computer's hard drive in order to spread itself further. Once the information has been submitted it is sent to four different e-mail addresses. Access to these accounts has been blocked.

The dialogue box that is displayed is designed to look very similar to the PayPal website in order to increase the likelihood of users being fooled and thereby voluntarily submitting this sensitive information. The difference between the two variants, however, lies in what information they attempt to retrieve. In addition to the credit card information also requested by Mimail.I, Mimail.J asks users to submit more personal information such as social security number and mother's maiden name.
Recommended Reactions

Users are advised to update their virus signature files and make sure they have the latest versions of F-Prot Antivirus installed on their computers.

After updating the virus signature files, users should scan their whole system with the F-Prot Antivirus OnDemand scanner to ensure that their computer security was not compromised before the virus signature files were updated.
Threat Description

The e-mail carrying the Mimail.I and Mimail.J worms arrive in minor variations on the following:

From: "PayPal.com" Do_Not_Reply@paypal.com
Subject: IMPORTANT
Attachment: www.paypal.com.scr

Dear PayPal member,

We regret to inform you that your account is about to be expired in next five business days. To avoid suspension of your account you have to reactivate it by providing us with your personal information.

To update your personal profile and continue using PayPal services you have to run the attached application to this email. Just run it and follow the instructions.

IMPORTANT! If you ignore this alert, your account will be suspended in next five business days and you will not be able to use PayPal anymore.

Thank you for using PayPal.
Threat Detection

The latest versions of F-Prot Antivirus detects W32/Mimail.I@mm and W32/Mimail.J@mm using virus signature files dated 17 November 2003 or later.