New virus disguised as PayPal e-mail

A computer virus that camouflages itself as a message from PayPal has started spreading among home users, antivirus companies say.

Robert Lemos
Robert Lemos Staff Writer, CNET News.com

Robert Lemos
covers viruses, worms and other security threats.

2 min read
A computer virus that camouflages itself as a message from PayPal has started spreading among home users, antivirus companies said on Friday.

The program is a variant of the Mimail virus, which has previously spread by appearing to be a security advisory from Microsoft. The latest version of the program is attached to an e-mail forged to look as though it came from PayPal, an online payment service bought by eBay last year. Running the program infects the victim's computer and asks the PC user for credit card information, which the virus then sends to the attacker.

"It is a new trend among virus authors to get deeper into criminal acts and attempt to generate revenue," said Craig Schmugar, virus research engineer for security company Network Associates.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

Another virus, Sobig, is believed by many researchers to have been spread by a group that sells a list of the machines the program compromises to spammers. The latest variant of Mimail takes a more direct approach to illicitly obtaining funds.

The virus appears as an attachment--"www.paypal.com.scr"--to an e-mail that purports to be from PayPal.

"PayPal would like to inform you about some important information regarding your PayPal account," the message reads. "This account, which is associated with the email address will be expiring within five business days. We apologize for any inconvenience that this may cause, but this is occurring because all of our customers are required to update their account settings with their personal information. We are taking these actions because we are implementing a new security policy on our website to insure everyone's absolute privacy."

When a person opens the e-mail attachment, a window appears bearing the PayPal logo and asking for credit card information. The virus stores any information provided by the victim in a file called "ppinfo.sys" and the file is sent to four e-mail addresses stored in the program.

Antivirus companies are in the process of blocking access to the e-mail boxes.

The virus also searches through the Internet browser files cached on a victim's computer and grabs e-mail addresses from the sources found there. It will then send itself as an attachment to the original e-mail to every address found.

Companies tend to respond to such virus threats very quickly, and many block e-mail attachments as a matter of policy, so it's mainly home users that have to worry, said Vincent Weafer, senior director for incident response at security software company Symantec.

"We see a lot of corporate submissions in the very beginning and then it moves almost exclusively to those from home users," he said.

The companies recommended that PC users update their virus definitions.