Mmdload arrives as a zipped attachment in an email which carries exactly the same subject line and text used by the recent Mimail-N worm. The message offers recipients the chance to win some cash, which will be placed directly in their bank accounts, as long as they fill in the form asking for personal financial details.
Once the attachment is unzipped and its file, PAYPAL.exe, is launched, the Trojan attempts to contact a Russian website, www.aquarium-fish.ru, to download a copy of Mimail-N giving it a new lease of life by enabling it to bypass email gateway protection. This is the same website to which Mimail-N worm attempts to send the completed PayPal forms.
"This is the latest Trojan 'phishing' for personal financial data," said Carole Theriault, security consultant at Sophos. "The malicious coders know that not everyone who receives the email will be a PayPal customer, but similar to the mindset of spammers, if only a few people fall for the ruse, there is an opportunity to drain bank accounts."
As well as desktop anti-virus protection, Sophos recommends that companies consider blocking all programs at the email gateway. It is rarely necessary to allow users to receive programs via email from the outside world. There is so little to lose, and so much to gain simply by blocking all emailed programs, regardless of whether they contain viruses or not.
"Best practice for business should include automatic blocking of all executable code at the email gateway," continued Theriault. "Reputable companies do not send out files in this way, and users should think twice before they click on unsolicited email messages."