Re: [Full-Disclosure] Fwd: YOUR PAYPAL.COM ACCOUNT EXPIRES

[Irwan Hadi <irwanhadi@phxby.com>]

On Fri, Nov 14, 2003 at 12:52:24AM -0200, Rodrigo Barbosa wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Thu, Nov 13, 2003 at 04:43:16PM -0800, Larry Hand wrote:
> > Anyone else seeing this? It comes with an attachment Paypal.asp.scr. 
> > Anyone know what it is? It sure looks suspicious.
> 
> I beg your pardon, but ... suspicious ?!?! :)
> 

Actually the answer just came right now:
http://www.sophos.com/virusinfo/analyses/w32mimaili.html

W32/Mimail-I is a worm which spreads via email using addresses harvested from 
the hard drive of your computer. All email addresses found on your PC are saved 
in a file named el388.tmp in the Windows folder. 
In order to run itself automatically when Windows starts up the worm copies 
itself to the file svchost32.exe in the Windows folder and adds the following 
registry entry: 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SvcHost32 

The emails sent by the worm have the following characteristics: 

Subject line: YOUR PAYPAL.COM ACCOUNT EXPIRES 

Message text: 

Dear PayPal member, 

PayPal would like to inform you about some important information regarding your 
PayPal account. This account, which is associated with the email address 

<your.own@email.address.added.here> 

will be expiring within five business days. We apologize for any inconvenience 
that this may cause, but this is occurring because all of our customers are 
required to update their account settings with their personal information. 

We are taking these actions because we are implementing a new security policy 
on our website to insure everyone's absolute privacy. To avoid any interruption 
in PayPal services then you will need to run the application that we have sent 
with this email (see attachment) and follow the instructions. Please do not 
send your personal information through email, as it will not be as secure. 

IMPORTANT! If you do not update your information with our secure application 
within the next five business days then we will be forced to deactivate your 
account and you will not be able to use your PayPal account any longer. It is 
strongly recommended that you take a few minutes out of your busy day and 
complete this now. 

DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This mail is sent by an automated 
message system and the reply will not be received. 

Thank you for using PayPal. 

Attached file: www.paypal.com.scr 

If you run the worm, a dialog box pops up requesting you to enter a range of 
information about your credit card. This includes your full credit card number, 
your PIN, the expiry date, and even the so-called CVV code (this is an 
additional three-digit security code printed on the back of your card which is 
not recorded by credit card machines during transactions). The dialog includes 
a PayPal logo in a further attempt to appear legitimate. Information entered 
into the form is sent out by email. 

Note: do not act on web links or attachments sent to you in emails which claim 
to come from banks or financial companies. The apparent source of an email is 
too easily forged. 
 
 


> > ----------  Forwarded Message  ----------
> > 
> > Subject: YOUR PAYPAL.COM ACCOUNT EXPIRES
> > Date: Fri, 14 Nov 2003 03:29:00 -0500
> > From: PayPal.com <donotreply@paypal.com>
> > To: lhand@co.la.ca.us
> 
> - -- 
> Rodrigo Barbosa <rodrigob@suespammers.org>
> "Quid quid Latine dictum sit, altum viditur"
> "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> 
> iD8DBQE/tENnpdyWzQ5b5ckRAsuCAJ9m25kwTnpwR7oV9jaeSKmVg0v8MACgkmbV
> TThDx7KiEGijiGOhBnr5BwU=
> =ro3i
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html