PayPal users targeted by latest Mimail mutant

Just days after being hit by the Mimail.i worm, PayPal users are now under attack from Mimail.j, which is spreading rapidly.

In the past day, around 25,000 users have been infected by Mimail.j, the latest mass-mailing worm designed to target PayPal users. According to security company F-Secure, Mimail.j is almost identical to Mimail.i but seems to be spreading more quickly than its predecessor. The latest variant of Mimail appears to be sent from "Do_Not_Reply@paypal.com" and contains a string of random characters in the subject line. Attached to the email is either a file called "InfoUpdate.exe" or "www.paypal.com.pif".

Mark Sunner, chief technology officer at email security firm MessageLabs, said that Mimail.j's sole purpose is to defraud unsuspecting users, which he believes indicates a change in the mindset of virus authors: "Once, disruption was motivation enough, but now we are seeing a new breed of cybercriminal that is intent on using viruses as a means of lining their own pockets. They rely on duping a crop of unsuspecting users before a new variant is released and the process begins again," he said.

"It is curious that two have come along in the space of three or four days but Mimail.j is a recompiled version of Mimail.i, with minimal changes. Most of the changes seem to reflect different subject lines and different email content text when users open it, but the method of operating is pretty identical," said a spokesman for F-Secure.

The worm has been rated highly dangerous because of the risk it carries for PayPal users: "Someone has gone to a considerable amount of trouble to fashion PayPal-lookalike screens and 'phish' for credit card details," said the F-Secure spokesman.

The recent spate of worm and virus attacks has led network giant Cisco to collaborate with antivirus software vendors -- including Network Associates, Symantec, and Trend Micro --  to create the Cisco Network Admission Control system, which is part of the company's strategy to help enterprises minimising the impact of viruses and worms.

Mark Bouchard, senior programme director at the META Group, welcomed the Cisco announcement, and commented that enterprises should make it a priority to ensure that insecure nodes within their network are adequately protected: "Many organisations were successful at stopping recent worm attacks at their Internet boundaries, yet still fell victim to the exploits when mobile or guest users connected their infected PCs directly to internal local area networks. Eliminating this type of threat will require a combination of strengthened policies and network admission control systems."

Click here for more details about the worm and how to remove it from ZDNet U.K.

ZDNet U.K.'s Munir Kotadia reported from London.