New worm threat rings in the New Year

COMMENT ON THIS ARTICLE

Think twice before opening that e-mail wishing you a Happy New Year.

Security experts warn a new virus has been popping up on thousands of computers, just as people – back to work after the holidays – have begun firing up their computers and checking their inboxes.

The worm-type virus contaminates computers when users open a message with the subject heading ‘Happy New Year’ and click on the attached postcard.exe file, according to security software firm Symantec Corp. of Cupertino Calif.

Dubbed W32.Mixor.Q@mm, the virus was first uncovered on December 29, but began spreading rapidly this week as people got back to work.

The Mixor is a mass mailing worm that drops additional malware on the compromised machine according to a report filed by Ka Chun Leung, security response engineer, Symantec.

The report rated the virus as a medium threat, but characterized its distribution level as high.

The worm is already being heavily spammed with at least one network sending out five e-mails per second, according to VeriSign Inc., a security and telecom firm in Mountain View, Calif.

VeriSign said the worm can install several malicious code variants including Tibs, Nwar, Banwaru, and Glowa on a victim’s computer.

The previous year was capped by a virulent attack on the popular social networking site MySpace.com. At least one Canadian analyst said worm spreading under the ‘Happy New Year’ heading appears to be 2007’s first publicized attack.

“It looks like somebody just decided to start the New Year with a bang,” said Joe Green, vice-president, security research, IDC Canada Ltd. in Toronto.

Green said attackers like to take advantage of special occasions or holidays such as New Year’s or Valentine’s Day to send out viruses via e-mail, knowing that many people – expecting to receive messages from colleagues, relatives or loved ones – will be caught off guard.

He said spam filters appear to provide adequate protection from the threat, but also cautioned vigilance. “The best protection is to be wary of unsolicited e-mail. Don’t open suspicious messages, even if they appear harmless.”

Once inside the machine, Symantec said, the virus makes copies of itself in several folders. The virus also deactivates security related processes and then gathers e-mail addresses from the Windows Address Book and other files.

Using its own simple mail transfer protocol (SMTP) engine, the virus then mails itself to all the addresses that it finds. The virus is able to make the message appear to come from someone you know.

The Symantec report said the new worm affects machines loaded with Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003 and Windows XP. The security software firm said the virus can be easily contained and removed. Symantec provided more information and instructions on their Web site.

The Mixor launches a “modular malicious attack” that opens up the victim’s machine for other viruses, according to Dave Cole, director, security response, Symantec.

“The intention is to plant the worm so it can create a gateway into the machine for whatever other virus the attacker wants to send,” said Cole.

In this case, the worm was dropping the spam-spreading Trojan Galapoper A virus on the compromised machines. The attacker’s intentions can change and Mixor can be used to usher a host of other viruses into the machine, said Cole.

As a compromised machine might contain more than one type of virus after the initial attack, a thorough clean up of the computer is needed. “You’re not only looking for Mixor, you’re also searching for the other viruses it let in.”

COMMENT ON THIS ARTICLE



Related Download
Virtualization: For Victory Over IT Complexity Sponsor: HPE
Virtualization: For Victory Over IT Complexity
Download this white paper to learn how to effectively deploy virtualization and create your own high-performance infrastructures
Register Now