Home & Office

Seasonal virus is unwelcome present

A seasonal email worm emails a victim's contact list to their entire address book by duping gullible users into thinking it is a Christmas treat
Written by Wendy McAuliffe, Contributor and  Graeme Wearden, Contributor

A mass-mailing Internet worm that purports to offer New Year greetings has been spreading rapidly throughout Wednesday, and is rumoured to be the big Christmas virus that antivirus companies have been gearing up for.

The first copy of the virus was detected at 7:23am GMT by security firm MessageLabs and is said to have originated from South Africa. By using a number of aliases, the email worm has spread virulently throughout the day. MessageLabs has detected 925 incidents of the worm at an Internet level to date, from a number of countries across the globe.

"This won't be as big as Goner, but it is likely to be the biggest Christmas virus," said Alex Shipp, antivirus technology expert at MessageLabs.

The worm, operating under the guises of Zacker, Reeezak, Maldal and Keyluc, arrives with the subject header "Happy New Year", and contains a file attachment entitled "christmas.exe". It uses familiar social engineering tactics to entice recipients to double click on the attachment, before mailing itself and the victim's contact list to everyone in the contact's address book.

"Over the last week, we have seen thousands of executable files like this that have been sent as jokes or Christmas cards," said Shipp. "We have seen 4,000 copies of such viruses this week, and so from a social engineering point of view, it looks like this virus will continue."

The worm arrives with the body text:

"I can't describe my feelings

But all i can say is

Happy New Year :-)


Once the Christmas.exe application is opened, the worm will modify the user's Internet Explorer (IE) home page so that the browser now points to a malicious Web site. This site will then exploit a vulnerability in IE and run a Visual Basic Script on the infected computer that will attempt to delete significant portions of the Windows operating system.

Experts believe the worm spreads through shared network drives, and by taking advantage of Microsoft applications. Computer Associates has reported that the virus will email itself to everyone in an infected victim's Outlook address book.

According to reports, Symantec believes the worm also spreads via Microsoft's Instant Messaging software, and will try to delete antivirus software from an infected PC.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.

Editorial standards