New email worm on the move

Several anti-virus vendors are warning of a new email worm that's rapidly spreading throughout the internet. The new fast-moving virus, referred to as the "Here you have" virus because of the email subject line it uses, reportedly has multiple variants and includes links to supposed sex movies ("This is The Free Dowload Sex Movies,you can find it Here") and an online document ("This is The Document I told you about,you can find it Here").

While the links included in the emails appear to lead to a downloadable Windows Media Video (WMV) file and a PDF document, they are actually disguised executable files (.scr). Once downloaded, double clicking the files installs the W32/VBMania@MM / WORM_MEYLME.B worm. After being installed into the Windows directory as CSRSS.EXE, the worm then sends itself to all of the recipients in a victim's address book. According to security specialist Trend Micro, it then installs a backdoor and attempts to disable and delete various virus scanners and security applications. A number of AV vendors have already released updated signatures that recognise the pest and block it from infecting a user's system.

More recently, virus writers have been attempting to spread their pests using vulnerabilities in web browsers and plug-ins. Because attacks via email haven't been as well publicised, or seemingly as effective, as they have been in the past, a resurgence in the use of email to spread worms and viruses could be in the cards.

While applications can now use various exploit protection mechanisms, like Data Execution Prevention (DEP) and Address Space Layout Randomisation (ASLR), a number of third-party applications are not. According to security experts like Charlie Miller and Dino Dai Zovi, however, it's still becoming increasingly difficult to exploit traditional security holes. However, as reported yesterday, a new zero day vulnerability in Adobe Reader and Acrobat is already being exploited by attackers to infect Windows systems.

(crve)