A global mass mailer worm is spreading and according to Symantec Security Response, affecting hundreds of thousands of computers worldwide. This appears to be a new attack, however is similar to classic old-school mass-mailing viruses like Nimda, Melissa and the Anna Kournikova virus from 2001.
The new, malicious computer worm spreads using a socially engineered email attack. The threat arrives in the form of a standard email that directs the recipient to click on a link embedded in the email. This link points to a malicious program file that is disguised as a PDF file, hosted on the internet. When the user clicks on this link, their computer downloads and launches the malicious file. This process installs the worm onto the victim’s computer. Initial analysis indicates that the worm disables many common AV products (but it does not successfully attack Norton/Symantec products). Once running on the computer, the threat attempts to email a copy of the original message to all email addresses found in the infected user’s email address book. The threat also attempts to spread from computer to computer over the local network (e.g., within the enterprise intranet) by copying itself to open drive shares found on other machines on the network. Once the threat copies itself to another machine, if a user even opens the folder that contains the threat on this new machine, this will launch the threat and cause it to spread further through both email and over shared drives.
Symantec detects the downloaded payload as W32.Imsolk.B@mm and has added spam detection for the malicious emails as well. Symantec Hosted Services saw the first copy of this new virus 13 hours ago, at approximately 11:30pm Sydney time on Thursday 9th Sept 2010.
Enterprise customers using Symantec AntiVirus or Symantec Endpoint Protection with a Rapid Release signature set dated Sep 9th 2010 rev 023 (or later) are already completely protected. Enterprise customers using MessageLabs Hosted Email AntiVirus are also 100% protected. In addition, our Norton consumer customers were proactively protected from download of this threat through the Download Insight feature, which leverages our reputation-based security technology.
Computer users should remember best practices and keep virus definitions up-to-date, and avoid clicking on links and/or attachments in email messages. Network administrators are encouraged to configure mail servers to block or remove email that contains file attachments that are commonly used to spread viruses, such as .VBS, .BAT, .EXE, .PIF, and .SCR files. The file used in this case is a .SCR file.