New mass-mailing worm is a variant of Sobig

The new email worm, codenamed 'Mankx' or 'Palyh' is not so new after all--email security firm MessageLabs has stated that it is just a variant of the SoBig virus that was rampant months ago.

Asia update The new email worm, codenamed 'Mankx' or 'Palyh' is not so new after all--email security firm MessageLabs has stated that it is just a variant of the SoBig virus that was rampant months ago.

MessageLabs' 'chief virologist' Alex Shipp said traditional anti-virus vendors are finding it harder and harder to detect variants that are just slightly different from the original.

"The fact that we see about 10 new and variant viruses a day, on average, means it's getting harder and harder to protect yourself by using signature downloads. Unless you're really quite a small company with limited dependence on email, downloads are not a feasible solution any more," he said.

Anti-virus firms have begun advising users to update their software to detect infected email.

The message forges the support@microsoft.com from address, and the body is invariably: "All information is in the attached file". Users should not open the attachment. The subject line varies, see the bottom of this article for a list.

According to Symantec, the email holds the mass-mailing worm W32.HLLW.Mankx@mm.

"Symantec Security Response has rated the virus a level 3 on a scale of 1-5, with 5 being the most serious," said a statement from Symantec.

The W32.HLLW.Mankx@mm worm sends itself to all email addresses it finds in files with the following extensions: .wab .dbx .htm .html .eml .txt . The worm deactivates May 31, therefore, the last date the worm will spread will be May 30, according to Symantec.

The attachment is a PIF, or program information file. Upon execution, it self propagates using the victim’s address book.

According to Jamie Gillespie, security analyst with AusCERT, the virus is a traditional mass-mailer. It uses the victim’s address book to find new victims.

"It appears to be using the address book as a single source at least," he said.

Anti-virus vendors do not yet have any signatures that can be used to detect this latest threat, which could result in a more rapid propagation than normal.

"Currently there is no public information regarding this virus," he told ZDNet Australia. "Anti virus software is only as good as the signatures [so] ‘zero-day’ viruses can propagate quite quickly".

An element of reverse psychology could be at work, according to Computer Associates' security consultant Daniel Zatz. Because the e-mail contains little information and doesn’t pressure the recipient into opening the attachment could be a reason that people are in fact opening it, he told ZDNet Australia.

"Maybe the curiosity aspect of saying absolutely nothing is perhaps a better lure," he said.

Most large organisations should be protected because they block the .pif file extension, a practice advocated by Zatz, but that small to medium enterprises will probably be impacted.

ZDNet Australia will update this article when anti-virus companies publish information or signatures. See below for subject lines used by the worm.

  • Approved (Ref: 38446-263)
  • Re: My application
  • Screensaver
  • Re: Movie
  • Your details
  • Re: My details
  • Your password

Patrick Gray writes for ZDNet Australia.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All