Welcome to the Police Notebook! Main Menu of Sub-Topic Areas Crime Prevention Information Personal Safety Topics Internet Safety Articles Kid Safety on the Internet Fire Safety Information First-Aid and Health Related Information Drug and Alcohol Abuse Resources Emergency Phone Number Listings Active Police Investigations The Citizen\'s Self-Arrest Form About the OU Police Department News About Features of This Site The Police Notebook\'s LINKS to Other Related Sites Online Forms for Reporting Problems, as for Questions & Requests Kudos We\'ve Received for this Site Text Search of all the Police Notebook Pages The Police Notebook - INDEX Jump to the University of Oklahoma HOME PAGE Restricted Area for OUPD Intranet workstations ONLY Copyright Information, Disclaimers, and other Site Information Click HERE to jump to the Sooner Safety Report




Preventing Identity Theft - Continued...
Fake PAYPAL Letter Example...

How this particular identity-theft mass-mailing worm works...

Win32/Mimail.p@MM is a mass-mailing worm, intended to email itself from computer-to-computer using target email addresses harvested from infected computers. This worm uses its own SMTP mailer engine —it doesn't rely on any specific e-mail client.

IDENTITY THEFT! Additionally, it's email-attachment file payload (usually pp-app.zip in this variation) is designed to steal credit card and other personal information from any unwitting victim.

Here's what a typical Win32/Mimail.p@MM worm email message looks like when received in Microsoft Outlook:

Typical Win32/Mimail.p@MM Worm Email Message
bullet The "From:" address used by the worm is fake, to make the message appear to come from PayPal.com.
bullet The ":To:" address (shown in the example as "Your Name") may be the victim's name or some other stolen/faked name.
bullet The "Subject:" field typically contains this text, "GREAT NEW YEAR OFFER FROM PAYPAL.COM!", followed by a string of random characters.

When email-attached file (the worm) is opened (executed) it copies files to onto the victim's computer into the windows directory, then modifies the Windows registry to launch itself at the next system startup.

When sending e-mail, Win32/Mimail.p@MM harvests e-mail addresses from the victim's computer by searching a number of folders where email addresses are commonly stored by various programs. All e-mail addresses the worm finds on the victim's computer are stored in the file "OUTLOOK.CFG", which the worm creates in the Windows folder.

When sending e-mail to a particular address, Win32/Mimail.p@MM contacts a DNS server in order to receive the default mail server name (from MX records) for a given domain, For example, when sending an e-mail to yourname@myisp.com, the worm would find the name of the mail server for the domain "myisp.com" and then connect directly to that mail server (port 25, using SMTP). Win32/Mimail.p@MM doesn't try to send e-mail if the user machine isn't connected to the Internet. determine that a user machine is connected to the Internet. In order to verify Internet-connectivity, the worm attempts to connect to www.google.com. The purpose of the outgoing messages sent by the worm is to spread the worm (in the ZIP file attachment).

The W32/Mimail.p@MM worm mailing/message is constructed to fool the recipient into thinking it's a legitimate letter from PayPal.com. If an Internet connection is detected on execution, two forms are displayed asking for credit card and personal information. Once this information is filled in, it is sent to a remote website.

When first run, Mimail.P displays the following window:

First Information Stealing Screen

If sufficient details are entered, it then displays this message:

Addtional Information Stealing Screen

Finally, it displays this message:

Closing Message

The worm saves the information entered into the two identity-theft forms to a temporary file, and the main worm executable constantly checks for the presence of that temp file. If/when it's found, the worm sends victim's personal data to several different e-mail addresses. The worm also collects the victim's ISP/dialup information from the MS Windows registry: RAS, POP and SMTP server accounts.

The worm can send out all it's collected loot (all the email addresses found on the victim's machine, the victim's personal data from forms-fillin, and the ISP/email server info) using server applets hosted on a Russian website. It may also modify the victim's default MSIE home page.

Worm Details...

  • Worm name: W32/Mimail.p@MM

  • Aliases: Win32/Mimail.P, Win32.Mimail.N,
  • Discovered: January, 2004
  • Can infect computers with these operating systems:
        Windows 95/98/ME/NT/2000/XP/2003
REMEMBER: This worm is not unique! There are many email and website based scam threats that attempt to capture/harvest your personal information either directly from your computer, or by persuading you (by their apparent "legitimacy") to type in your personal data.

Also, don't expect a fake email to be "crude" in any way! These identity theives copy real webpages and forms from actual commercial sites to make their fake mailings/websites/forms look identical to the real McCoy!

Play it safe! Don't open ANY email attachments, even those that appear to come from your friends, unless you personally solicited the attachment from them, or have checked with them about it first.

Return to SCAMS! page

The Police Notebook - Main Menu The Police Notebook - INDEX The Police Notebook - HOME PAGE The Police Notebook - SEARCH Page Click HERE to jump to the The POLICE NOTEBOOK home page. (The University of Oklahoma Police Department)

The Police Notebook, Copyright © 2004,
the Board of Regents of the University of Oklahoma.
All rights reserved.

Sponsor: OU Police Department — Developer: Richard M. Hamilton, OUPD
Jump to the OU Home Page