Numerous antivirus vendors have issued alerts about a new computer worm delivered through spam emails, which is apparently spreading rapidly despite using some decade-old techniques.
The worm sends rogue messages to email addresses collected from the address book on infected computers through the Messaging Application Protocol Interface (MAPI).
The emails bear subjects like "Here you have", "Just for you" or simply "hi" and appear to originate from the targets' friends and contacts.
Basic social engineering is used to trick recipients into opening malicious links and downloading the worm installer.
The URL included in the rogue messages purport to lead to .wmv movies or .pdf documents, but in reality they point to a malicious .scr (screensaver) file; a method of packaging malware that was common a decade ago.
The worm is known by different names depending on the security vendor: Worm:Win32/Visal.B (Microsoft), W32.Imsolk.B@mm (Symantec) or WORM_MEYLME.B (Trend Micro).
Its payload involves disabling certain antivirus programs and adding registry entries to prevent several security alerts.
Security researchers warn that it also propagates via removable drives and network shares, where it copies itself along with an autorun.inf file.
In addition, the worm harvests IDs from IM applications like Yahoo! Messenger, which it then uses to spam more malicious links.
Trend Micro reports
that a Bifrost variant also gets dropped on computers affected by this threat. Bitfrost or Bifrose is a family of backdoors dating back to 2004.
Several folders located in C:\Windows\system on infected machines will be shared on the local network under the name "Updates."
"Since the malware shares some System folders without the user’s knowledge, it will render the system vulnerable
," explains Patrick Estavillo, threats analyst at Trend.
"We strongly encourage customers to be cautious about clicking suspicious or even simply unexpected links in email, even if it’s sent by someone you know
," malware researchers from Microsoft, advise