'

New mass-mailing worm is a variant of Sobig

The new email worm, codenamed 'Mankx' or 'Palyh' is not so new after all--email security firm MessageLabs has stated that it is just a variant of the SoBig virus that was rampant months ago.

Asia update The new email worm, codenamed 'Mankx' or 'Palyh' is not so new after all--email security firm MessageLabs has stated that it is just a variant of the SoBig virus that was rampant months ago.

MessageLabs' 'chief virologist' Alex Shipp said traditional anti-virus vendors are finding it harder and harder to detect variants that are just slightly different from the original.

"The fact that we see about 10 new and variant viruses a day, on average, means it's getting harder and harder to protect yourself by using signature downloads. Unless you're really quite a small company with limited dependence on email, downloads are not a feasible solution any more," he said.

Anti-virus firms have begun advising users to update their software to detect infected email.

The message forges the support@microsoft.com from address, and the body is invariably: "All information is in the attached file". Users should not open the attachment. The subject line varies, see the bottom of this article for a list.

According to Symantec, the email holds the mass-mailing worm W32.HLLW.Mankx@mm.

"Symantec Security Response has rated the virus a level 3 on a scale of 1-5, with 5 being the most serious," said a statement from Symantec.

The W32.HLLW.Mankx@mm worm sends itself to all email addresses it finds in files with the following extensions: .wab .dbx .htm .html .eml .txt . The worm deactivates May 31, therefore, the last date the worm will spread will be May 30, according to Symantec.

The attachment is a PIF, or program information file. Upon execution, it self propagates using the victim’s address book.

According to Jamie Gillespie, security analyst with AusCERT, the virus is a traditional mass-mailer. It uses the victim’s address book to find new victims.

"It appears to be using the address book as a single source at least," he said.

Anti-virus vendors do not yet have any signatures that can be used to detect this latest threat, which could result in a more rapid propagation than normal.

"Currently there is no public information regarding this virus," he told ZDNet Australia. "Anti virus software is only as good as the signatures [so] ‘zero-day’ viruses can propagate quite quickly".

An element of reverse psychology could be at work, according to Computer Associates' security consultant Daniel Zatz. Because the e-mail contains little information and doesn’t pressure the recipient into opening the attachment could be a reason that people are in fact opening it, he told ZDNet Australia.

"Maybe the curiosity aspect of saying absolutely nothing is perhaps a better lure," he said.

Most large organisations should be protected because they block the .pif file extension, a practice advocated by Zatz, but that small to medium enterprises will probably be impacted.

ZDNet Australia will update this article when anti-virus companies publish information or signatures. See below for subject lines used by the worm.

  • Approved (Ref: 38446-263)
  • Re: My application
  • Screensaver
  • Re: Movie
  • Your details
  • Re: My details
  • Your password

Patrick Gray writes for ZDNet Australia.