A New Modification Of Mimail Sent In Mass Spam Distribution

Kaspersky Labs, a leading information security software developer has detected a mass mailing of a Trojan program “small.cz” which downloads Mimail.p, a new version of the Mimail email worm, from a remote server.

To date, isolated incidents of infection by this malicious software have been reported in various countries throughout the world.

The Trojan has been sent in the guise of a message from the payment system PayPal. The sender’s address is falsified as “do_not_reply@paypal.com”, the message topic appears as “PAYPAL.COM NEW YEAR OFFER”, and the attachment is named paypal.exe. When run, the Trojan in the file connects to a remote server, downloads Mimail.p and installs it in the system.

Mimail, which was created in Russia and first appeared on the Internet at the beginning of August 2003, is a classic email worm, which spreads via mail messages. The new modification of the worm differs from previous versions only by the fact that it is compressed using UPX. This makes it more difficult for some anti-virus programs to detect Mimail.p

After installation, Mimail.p begins the process of replication. The worm first secretly scans several directories of the infected computer and extracts email addresses. It then sends copies of itself to these addresses using its built-in procedure.

The worm has dangerous side effects, which can cause significant harm to users. In particular, Mimail.p tracks the activity of E-Gold and PayPal payment system applications installed on the infected computer. It extracts confidential information and sends this information to a number of anonymous addresses belonging to the worm’s author. In the same way, the worm steals other confidential data such as user names and passwords for email, access to system information etc.

Protection against Mimail.p has already been added to the Kaspersky Anti-Virus database.