The W32/Mimail.I@MM Virus Is A Scam Aimed At PayPal Clients

This information can be freely reproduced in any medium, as long as the information is unmodified.

Update 14 November 2003 10:40 EST: VirusScan 4304 drivers have been releases and are on-line at U-M. Your machines should updating themselves within the hour.

Update 14 November 2003 07:32 EST: There is a VirusScan "Extra.DAT file now available for Mimail.I. The easiest way for VirusScan users to install this is to download the "Super EXTRA.DAT" file from NAI to your Desktop, then double-click on the downloaded file (100822a.exe). That's all that is necessary.

The Mimail virus family infects only PC computers running Windows; Macintosh users, and users of other non-Windows operating systems cannot be infected by this virus. These users may, however, receive plenty of email from Mimail, so its "annoyance factor" is large.

• Mimail.I was discovered in the evening 13 November, 2003; it should be little threat at the University, since most folks know better than open unexpected email attachments, let alone to enter their credit card numbers into them. Still, VirusScan does not yet protect against this. I expect that VirusScan will have an early release of its 4304 drivers, and our postmaster has blocked Mimail.I as of 14 November, 02:56 EST, just a few hours after the virus was discovered, and very soon after we asked for the block -- thanks, postmaster!!

• We will release the VirusScan 4304 drivers -- which will cover W32/Mimail.I@MM -- as soon as they are available, so U-M Windows users who have VirusScan installed and updating itself automatically should have be portected against Mimail.I within an hour or so thereafter

• If you opened the infected email attachment, though -- before the release of the 4204 drivers, anyway -- the virus probably bit you. NEVER open unsolicited email attachments, even when they appear to be from someone you know and trust. [Instead, email the sender to ask if s/he sent it, and what it is, and demand a sufficiently detailed answer that a virus would be unable to generate. Better yet, ask over the phone or in person; no virus can forge that!]

  Note that even if you have antivirus software, that does not mean that you will not see large numbers of emails from victims of this virus. But since this virus is not likely to infect as many people as some other viruses -- compared, for example, to Sobig.F, we expect that the deluge overall will be significantly less. Of course, University members will see very few after the 4304 drivers are installed on our email gateway, but those outside our protective shield may see a lot of them.

That said, Mimail.I is definitely "In The Wild" in significant measure, probably mostly on "unadministered" computers.

The main features of Mimail.I are these:

• Mimail.I comes with an attachment that, if launched, infects the computer and attempts to send out email with similarly infected attachments to email addresses harvested from the victim's machine.

• The text of the message attempts to fool the reader into believing that his or her PayPal account is expiring in 5 days, and that the reader "should run the attachment to avoid any interruption in PayPal services."

• If one falls for this ploy, the attachment requests credit card info, which it will send to the criminals who wrote this virus.

  DO NOT BE FOOLED!. I am quite certain that PayPal does not send email containing attachments.

• Mimail.I harvests email addresses it finds on the infected computer, not only from addressbooks. It uses these addresses as targets to which to send infected attachments but the "From:" field always appears to be "donotreply@paypal.com"

• The "Subject:" field appears always to be "YOUR PAYPAL.COM ACCOUNT EXPIRES"

• Mimail.I modifies the Registry so that it will always run at startup.

For more details, see the antivirus vendor URLs below.

Obviously, you should not attempt to open the attachment.... But then again, at the risk of sounding like a broken record: you never should open unsolicited attachments -- not even when they appear to be from someone you know and trust.

What should you do if:

• If know you are infected by Mimail.I?

  Disinfect with current, top quality antivirus software... as soon as virus definitions are available. At the time of this writing, most antivirus products do not yet have such definitions, but I expect them within the next few hours.

  University folks can get such software here.

  There is an excellent tool for handling nasty viruses It's NAI's free! Stinger tool (leaving our site). At this time, Mimail.I is not covered by Stinger, but I expect that it will be later today (14 November 2003). If you use Stinger, be sure to follow all the instructions they provide -- in particular, if you use WinME or WinXP, disabling System Restore. Otherwise, you'll be wasting time and effort. IN ADDITION I recommend booting in Safe Mode before using Stinger.

  Also, note that while Stinger removes a few nasty viruses, it does NOT detect most of the 80000+ viruses known to exist -- nor does it protect you from getting reinfected. For that, you must use normal antivirus software.

  One more time: Stinger is for detection and removal only, not protection.

• You receive email you suspect is infected with Mimail.I -- or other viruses, for that matter?

  That's up to you; for suggestions, see our What to do with suspicious email document.

For technical info on Mimail.I, see e.g. Network Associates write-up on W32/Mimail.I@MM (leaving our site) or F–Secure's write up (leaving our site).

The URL for this document is http://www.umich.edu/~virus-busters/mimail-i.html

For virus or hoax info, please see our main page (http://www.umich.edu/~virus-busters/) or go to another reputable site, like The Urban Legends Reference Pages (leaving our site).

   -BPB