The new worm, named W32/Mimail-I, arrives in an email with a subject line of "YOUR PAYPAL.COM ACCOUNT EXPIRES", and asks recipients to provide detailed information about their credit cards, claiming that PayPal "are implementing a new security policy."
The email correctly advises not to send this personal information through email as it could be insecure. Instead, it instructs credit card holders to run the attached program.
If the user double-clicks on the attached file, "www.paypal.com.scr", a dialog box pops up requesting the user to enter a range of information about their credit card. This includes full credit card number, PIN, expiry date, and even the CVV code - the three-digit personal security code printed on the back of cards. The dialog box includes a PayPal logo in a further attempt to appear legitimate.
"Mimail-I tries to harvest bank card data and then sends it out to the bad guys in an email. It even includes a realistic-looking checkbox which users are expected to tick in order to confirm that the details they have entered are correct," said Graham Cluley, senior technology consultant, Sophos. "But the email sent by Mimail-I could never be legitimate - banks and credit card companies never request information of this sort via email, which is simply not secure enough for transactions of this type."
As well as ripping off bank information, Mimail-I sends itself to everybody whose email addresses appears on the infected hard disk.
Sophos advises that Mimail-I can be easily prevented by using up-to-date anti-virus software, or blocking files with more than one extension at the email gateway.