New mass-mailing worm spotted: W32.HLLW.Mankx@mm

20/05/2003

I have this in all my POP3 accounts so, beware guys!

New mass-mailing worm spotted: W32.HLLW.Mankx@mm
http://asia.cnet.com/sg/0,39002190,39132224,00.htm

Asia update A new email worm, named ‘Mankx’ or ‘Palyh’ by security firms has appeared in Asia–but there is still no anti-virus software for it, as does not appear to be a variant of earlier viruses.

According to Symantec, the firm is tracking a mass-mailing worm W32.HLLW.Mankx@mm.

“Symantec Security Response has rated the virus a level 3 on a scale of 1-5, with 5 being the most serious,” said a statement from Symantec.

The W32.HLLW.Mankx@mm worm sends itself to all email addresses it finds in files with the following extensions: .wab .dbx .htm .html .eml .txt . The worm deactivates May 31, therefore, the last date the worm will spread will be May 30, according to Symantec.

The message forges the support@microsoft.com from address, and the body is invariably: “All information is in the attached file”. Users should not open the attachment. The subject line varies, see the bottom of this article for a list.

The attachment is a PIF, or program information file. Upon execution, it self propagates using the victim?s address book.

According to Jamie Gillespie, security analyst with AusCERT, the virus is a traditional mass-mailer. It uses the victim?s address book to find new victims.

“It appears to be using the address book as a single source at least,” he said.

Anti-virus vendors do not yet have any signatures that can be used to detect this latest threat, which could result in a more rapid propagation than normal.

“Currently there is no public information regarding this virus,” he told ZDNet Australia. “Anti virus software is only as good as the signatures [so] ?zero-day? viruses can propagate quite quickly”.

An element of reverse psychology could be at work, according to Computer Associates’ security consultant Daniel Zatz. Because the e-mail contains little information and doesn?t pressure the recipient into opening the attachment could be a reason that people are in fact opening it, he told ZDNet Australia.

“Maybe the curiosity aspect of saying absolutely nothing is perhaps a better lure,” he said.

Most large organisations should be protected because they block the .pif file extension, a practice advocated by Zatz, but that small to medium enterprises will probably be impacted.

See also:

http://www.norton.com/avcenter/

No comments yet.

Write a comment:

You have to log in to write a comment.