Worm in fake eBay research e-mail starts spreading: AV company

The Myfip worm was first detected more than a month ago but e-mail security firm Messagelabs said it has noticed the worm is starting to spread. The company expects Myfip to be difficult for antivirus software to detect because it has been compressed using an uncommon packing utility.

Virus authors have a choice of different utilities to compress and encrypt their malware. Inexperienced malware coders -- or script kiddies -- oftem use one of the popular packing programs available freely on the Internet. But Messagelabs has warned that Myfip uses a packer that it has not seen before, which could indicate that the virus writer created one specially.

According to Messagelabs, "Myfip uses a packer previously unseen in e-mail virus distribution. The use of an uncommon packer could make it more difficult for antivirus software vendors to identify and protect against the malicious code within".

Antivirus firm Symantec's Security Response site said Myfip searches an infected computer for any network directories and attempts to copy itself to those directories with a file-name "Iloveyou.txt.exe".

If the network directory is password protected, Myfip attempts to log in as the administrator using a number of common passwords.

The company reports that the worm is "easy" to remove.

Even if antivirus scanners have a problem spotting the new worm the badly worded email should make any potential victims somewhat suspicious.

Myfip arrives in an e-mail with the subject "hi, [recipient], I'm webmaster of eBay.com, and we raise a research in our Website".

The main body of the e-mail asks the recipient to take part in a -Multiple Item Auction" with the chance of winning a prize.

"If you're the winner of Multiple Item Auctions, you can get the following thing... 1.a notebook that worth 18000$... 2.a camara [sic] worth 1000$".