New mass-mailing worm is a variant of Sobig
MessageLabs' 'chief virologist' Alex Shipp said traditional anti-virus vendors are finding it harder and harder to detect variants that are just slightly different from the original.
"The fact that we see about 10 new and variant viruses a day, on average, means it's getting harder and harder to protect yourself by using signature downloads. Unless you're really quite a small company with limited dependence on email, downloads are not a feasible solution any more," he said.
Anti-virus firms have begun advising users to update their software to detect infected email.
The message forges the support@microsoft.com from address, and the body is invariably: "All information is in the attached file". Users should not open the attachment. The subject line varies, see the bottom of this article for a list.
According to Symantec, the email holds the mass-mailing worm W32.HLLW.Mankx@mm.
"Symantec Security Response has rated the virus a level 3 on a scale of 1-5, with 5 being the most serious," said a statement from Symantec.
The W32.HLLW.Mankx@mm worm sends itself to all email addresses it finds in files with the following extensions: .wab .dbx .htm .html .eml .txt . The worm deactivates May 31, therefore, the last date the worm will spread will be May 30, according to Symantec.
The attachment is a PIF, or program information file. Upon execution, it self propagates using the victim’s address book.
According to Jamie Gillespie, security analyst with AusCERT, the virus is a traditional mass-mailer. It uses the victim’s address book to find new victims.
"It appears to be using the address book as a single source at least," he said.
Anti-virus vendors do not yet have any signatures that can be used to detect this latest threat, which could result in a more rapid propagation than normal.
"Currently there is no public information regarding this virus," he told ZDNet Australia. "Anti virus software is only as good as the signatures [so] ‘zero-day’ viruses can propagate quite quickly".
An element of reverse psychology could be at work, according to Computer Associates' security consultant Daniel Zatz. Because the e-mail contains little information and doesn’t pressure the recipient into opening the attachment could be a reason that people are in fact opening it, he told ZDNet Australia.
"Maybe the curiosity aspect of saying absolutely nothing is perhaps a better lure," he said.
Most large organisations should be protected because they block the .pif file extension, a practice advocated by Zatz, but that small to medium enterprises will probably be impacted.
ZDNet Australia will update this article when anti-virus companies publish information or signatures. See below for subject lines used by the worm.
- Approved (Ref: 38446-263)
- Re: My application
- Screensaver
- Re: Movie
- Your details
- Re: My details
- Your password
Patrick Gray writes for ZDNet Australia.