Malware Authors Go Old School With New Mass Mailer Worm - Info from Symantec
A global mass mailer worm is spreading and according to Symantec Security Response, affecting hundreds of thousands of computers worldwide. This appears to be a new attack, however is similar to classic old-school mass-mailing viruses like Nimda, Melissa and the Anna Kournikova virus from 2001.
The new, malicious computer worm spreads using a socially engineered email attack. The threat arrives in the form of a standard email that directs the recipient to click on a link embedded in the email. This link points to a malicious program file that is disguised as a PDF file, hosted on the internet. When the user clicks on this link, their computer downloads and launches the malicious file. This process installs the worm onto the victimís computer. Initial analysis indicates that the worm disables many common AV products (but it does not successfully attack Norton/Symantec products). Once running on the computer, the threat attempts to email a copy of the original message to all email addresses found in the infected userís email address book. The threat also attempts to spread from computer to computer over the local network (e.g., within the enterprise intranet) by copying itself to open drive shares found on other machines on the network. Once the threat copies itself to another machine, if a user even opens the folder that contains the threat on this new machine, this will launch the threat and cause it to spread further through both email and over shared drives.
Symantec detects the downloaded payload as W32.Imsolk.B@mm and has added spam detection for the malicious emails as well. Symantec Hosted Services saw the first copy of this new virus 13 hours ago, at approximately 11:30pm Sydney time on Thursday 9th Sept 2010
Enterprise customers using Symantec AntiVirus or Symantec Endpoint Protection with a Rapid Release signature set dated Sep 9th 2010 rev 023 (or later) are already completely protected. Enterprise customers using MessageLabs Hosted Email AntiVirus are also 100% protected. In addition, our Norton consumer customers were proactively protected from download of this threat through the Download Insight feature, which leverages our reputation-based security technology.
Computer users should remember best practices and keep virus definitions up-to-date, and avoid clicking on links and/or attachments in email messages. Network administrators are encouraged to configure mail servers to block or remove email that contains file attachments that are commonly used to spread viruses, such as .VBS, .BAT, .EXE, .PIF, and .SCR files. The file used in this case is a .SCR file.
If you have any questions or would like to talk with an expert at Symantec Security Response, please let me know.
+61 2 9954 3492 firstname.lastname@example.org
+61 2 9086 2140 email@example.com