New Mimail mixes tricks for PayPal scam

In their quest to bypass security protections, virus writers are now using Trojan horse programs to upload their malicious code to a victim's PC.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
3 min read
Virus writers are going beyond "click to infect" programs by merging a trio of techniques to bypass security and compromise computers with malicious code.

Antivirus companies point to the increase in downloader programs in e-mail as part of the trend toward more-complex attacks. These tiny Trojan horses are being used in combination with viral programs and Web site hosting to dupe PC owners and bypass security software.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

The latest example of this approach uses a Trojan horse dubbed Downloader-GN. When run, the less-than-3,000-byte program uploads the Mimail.p virus to the victim's computer from a Web site in Russia. That virus then attempts to convince the user to type in personal and financial information, a technique known as "phishing."

The method is complicated and not all that original. Other viruses have attempted to upload other programs from Web sites to augment their abilities, and small download programs are also common. However, antivirus companies say that using all three together is a trend, and that some PC users have taken the bait.

"There is a huge population that recognizes these spammings are false, but there is a small population that falls for it," said Craig Schmugar, a virus research manager for security software maker Network Associates.

Downloader-GN was sent out in a bulk e-mailing two days ago with an accompanying message that claimed to be from online payment company PayPal, according to security software companies. The fraudulent e-mail claimed that PayPal would add 10 percent to the account value of any customer who filled out a form accessed by running the attachment, named Paypal.exe.

"Registration is simple," stated the message. "Just unpack the attachment with WinZip, run the application, and follow the instructions we have provided."

When run, the Downloader program will upload a program from a Russian Web site and run it. Antivirus companies identified the program as a variant of the Mimail virus. The program could be changed, but the Web site has currently been taken down by the Internet service provider, said Schmugar.

PayPal is a common target of phishing scams and has posted advice online to tell customers how to avoid becoming a victim. Customers of eBay, Amazon.com, Microsoft and banks are also popular targets of such scams.

Even a small number of successes can make such schemes worth the effort for the virus writer.

"Just like spammers, the malicious coders can make enough money to make it worth their while, if only a small percentage of folks actually fall for the ruse," said a statement from Chris Belthoff, a senior security analyst at antivirus company Sophos. "For those that do, the bad guys can completely drain their bank accounts."

Blocking any executable attachments can protect corporate users, and personal firewalls can give warning when an unauthorized program tries to download a file from the Internet. Moreover, PC users should be cautious of trusting any unsolicited e-mail, Belthoff said.

"Reputable companies do not send out files in this way, and users should think twice before they click on unsolicited e-mail messages," he said.