14 DAY TRIAL // Security researchers warn than a new variant of a computer worm sends itself attached to fake emails that appear to originate from Google, Facebook, Twitter, hi5, Amazon or Hallmark.
The rogue messages have different subjects, content and attachment names, depending on which company they purport to be sent from.
For example, some of them bear a subject of "Thank you from Google!" and claim to be sent from a [email protected] address.
The enclosed message suggests that they are automated response to Google job applications and the attached file, which contains the worm installer, is called "CV-20100120-112.zip."
Meanwhile, others pose as unread message notifications from Facebook. Their subject is "You have got a new message on Facebook!" and the attachment is called "Facebook message.zip."
The alleged Twitter emails masquerade as invitations to join the service and carry a file called "Invitation Card.zip." The hi5 ones are similar, but claim to be friend request notifications.
The emails referencing Amazon pose as order shipping updates and the attached file is called "Shipping documents.zip." And finally, the Hallmark messages purport to contain an E-Card in a "Postcard.zip" attachment.
All of the emails appear to have been constructed based on templates used by the abused companies and carry their logos.
Security researchers from Vietnamese antivirus vendor Bkis, note that this is a new variant of a piece of malware called W32.Hitwica.Worm.
However, according to a recent ThreatExpert analysis, Kaspersky Lab detects it as a variant of the Buzus computer trojan.
The worm drops a randomly named DLL file in the %Windir% folder and a HPWuSchedv.exe one inside %System%. Startup registry entries are created for both of them under HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
The threat has several propagation routines. In addition, to sending the aforementioned emails through an external STMP server, it copies itself to removable USB devices inserted into an infected computer.
It also creates malicious files with names like "Adobe Photoshop CS4 crack.exe", "Windows 7 Ultimate keygen.exe" or "K-Lite Mega Codec v5.5.1.exe" within shared folders.
Bkis researchers also warn that it attempts to stop known antivirus products and that it communicates with a remote IP address on port 1049.