Greed is replacing plain maliciousness among virus writers. The worm Mimail and its variants have reached fifth place on the all-time list of most destructive viruses.

The Mimail virus is the latest in a series of "phishing" scams, in which the virus-makers send e-mail that appears to come from a major bank or company. The e-mail directs the user to divulge personal identity information.

Mimail seeks to defraud people by inducing users of PayPal, owned by eBay, to enter their credit-card information into a pop-up window. If the victim clicks on an attached program to activate the virus, Mimail.J also asks for a social-security number and mother's maiden name, two key pieces of data essential for identity theft.

Mimail.J is the 10th variant of the virus first spotted in August. According to security company F-Secure, Mimail.J is almost identical to Mimail.i, but seems to be spreading more quickly than its predecessor.

Security specialists at the London-based mi2g Intelligence Unit yesterday said that the total economic damage from the Mimail malware family has reached $8.85-billion (U.S.) worldwide in terms of productivity losses as well as business interruption.

The alarms raised in the security community are due to the risk Mimail carries for PayPal users.

"Someone has gone to a considerable amount of trouble to fashion PayPal-lookalike screens and phish for credit card details," said an F-Secure spokesman.

Mimail's spread is also due to the fact it has also managed to slip into many corporate networks. While corporate networks have largely been successful at stopping viruses at the incoming server level, they have fallen victim when mobile workers or guest users connect infected PCs directly to internal local area networks.

The Mimail family, which is aimed at Windows users only, ranks below Sobig, Klez, Yaha and Swen. The recent appearances of the latest two variants, Mimail.I (Nov. 14) and Mimail.J (Nov. 17) have pushed the worm into the fifth-place position, mi2g said Thursday.

The e-mail message's "from" address is forged to read Do-Not-Reply@paypal.com and the subject line says "Important." The message text carries a false warning to PayPal users that their account is about to expire. It includes the warning: "IMPORTANT! If you ignore this alert, your account will be suspended in [the] next five business days and you will not be able to use PayPal anymore."

In similar banking scams, most of the victims have been directed to enter their data into a look-alike website. But Mimail's use of an executable program that collects and sends the data back to the attacker makes it difficult for victim companies to stop the scam, which they usually do by calling on Internet service providers to shut down the offending website.

"Five years ago hackers and virus writers carried out most of the attacks to demonstrate intellectual prowess," mi2g chairman D.K. Matai said Thursday. "The metamorphosis in motives has definitely been toward financial fraud and extortion activity."

Mimail has security experts convinced that it represents a change in the mindset of virus authors.