19 November 2008 No Comment

A new fake PayPal email message is being spammed — this time, it is not the typical PayPal phishing email that everyone is accustomed to. Instead of including links asking for the recipient’s personal information, this spammed message asks users to open a .ZIP attachment.

Here’s a sample email:

Figure 1. This supposed PayPal email message warns users that their accounts may have been compromised.

It informs recipients that their PayPal accounts were hacked, and that some fraudulent activity may have occurred. As part of security measures, “PayPal” is asking users to review the “report” in the .ZIP file and then contact the company if anything unusual is discovered.

The attachment that arrives with this spam, however, does not contain a report or any similar information.

Inside the .ZIP archive is a worm that infects the recipient’s computer upon execution.

Figure 2. Users expecting a document may be surprised to see that file contains an executable.

Detected by Trend Micro as WORM_POISON.LA, this malicious executable has routines that are related to the (now infamous) peer-to-peer file-sharing application Kazaa.

Other PayPal-related spam runs include the following:

• PayPal’s 10th Year Anniversary Phished
• Phishers Spoof ‘The PayPal Blog’

The Trend Micro Smart Protection Network already blocks the spammed PayPal message, keeping users’ PCs away from its malicious attachment. It also detects WORM_POISON.LA and provides solutions for its cleanup and removal. Users are strongly advised to refrain from downloading and executing files found in unsolicited email messages.