'Swiss Army knife' virus appears in a weekend
A new 'Swiss Army' worm initially thought to be MyDoom is exploiting a vulnerability discovered just five days ago.
The worm combines multiple attack techniques in an innovative way: spamming, social engineering, virus infection and Trojans. It has also appeared in record time.
According to antivirus company F-Secure, the virus sends out hundreds of emails from an infected machine. The reader on the target machine follows a link sent in the email, which leads to a Web site hosted on the original infected PC. The IE exploit on that Web site turns the computer into another infected machine, and the cycle starts again. All version of the worm also open a back door to the infected computers.
Versions A, B and C of the Bofra (buffer overflow frame exploit) worm were first thought to be the most recent additions to the MyDoom family, which targets a weakness in Microsoft Internet Explorer 6.0.
But further research has showed that the worms, which spam themselves using social engineering tactics, share too few similarities with MyDoom to be classed as one of the family.
"It's exploiting a hole for which there is not a fix," said Graham Cluley, senior technology consultant for Sophos. "This must be the fastest turnaround yet between finding a vulnerability and a full blown worm."
"It's not a MyDoom virus. There are some similarities, but there are some differences too," said Cluley.
Sophos said it had seen a high number of the messages at the Internet gateway, which implied that they had initially been spammed out. The messages use fake PayPal messages to trick users into clicking on a link. According to F-Secure, the message reads:
"Congratulations! PayPal has successfully charged $175 to your credit card. Your order tracking number is 866DEC0A, and your item will be shipped within three business days.
To see details please click this link"
Cluley added: "Although it mentions PayPal, we haven't seen any phishing. But you'd be so outraged about credit card forgery you would probably click on the link."
Microsoft has yet to release a patch for the IE vulnerability, which security company Secunia issued an advisory about last week. The new worm turned up with surprising speed.
"By Monday we've got a full-blown worm," added Cluley. "Microsoft is meant to be releasing its [monthly] pack of fixes soon, and they didn't mention this. There's a good chance they won't fix this today."
F-Secure also agreed that it was likely that the virus could be something other than MyDoom because the worms only shared half of the properties with MyDoom patterns.
"They are not that similar to existing MyDooms," said Patrik Runald, technical manager for F-Secure. "We haven't received that many reports. But it's interesting because it is only days since the vulnerability was announced."
The viruses, F-Secure added, exploit a vulnerability in Microsoft Internet Explorer 6.0 on Windows 2000 and Windows XP SP1. Windows XP SP2 users are said to be unaffected.
"This uses the same technology as Sasser or Blaster," said Runald. "Most worms use some download functionality on the Internet, and it's fairly easy to close those down. But this makes it much more difficult."
"Really the only way to protect yourself is to not click on the link, to delete unwanted emails, to run antivirus software and to upgrade to [Windows XP SP2]. Only IE is affected by this. If you run Mozilla, Netscape or Opera, you'll be fine," he said.