Advertisement
Promo

Security threats Toolkit

Winevar worm on the loose

Graham Hayday Silicon.com

Published: 27 Nov 2002 17:21 GMT

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Antivirus vendors are warning email users to watch out for a fast-spreading and potentially destructive worm, known as WORM_WINEVAR.

According to Trend Micro several cases have already been reported in France and Spain. MessageLabs first spotted the worm on 22 November and has seen around 300 copies in the last 24 hours.

It runs on all Windows platforms and propagates itself using its own Simple Mail Transfer Protocol (SMPT) engine, and sends emails to addresses it gathers from HTML files on the infected system.

According to Sophos, infected emails are likely to have the following characteristics:

From: (defaults to "AntiVirus")
Subject: (defaults to "Trand Microsoft Inc.")
Message text: " - "
Attached files:
- WINXXXX.TXT (12.6 KB) MUSIC_1.HTM
- WINXXXX.GIF (120 BYTES) MUSIC_2.CEO
- WINXXXX.PIF

The worm sends email using a known exploit that causes the attachment to automatically execute when the message is viewed or previewed on Internet Explorer-based email clients, such as Microsoft Outlook and Outlook Express.

It is capable of terminating certain monitoring programs and antivirus products from memory.

If an infected machine is restarted, WINEVAR displays the message: "Make a fool of oneself: What a foolish thing you've done!"

If the 'OK' button is pressed the worm deletes all deletable files in all folders.

Raimund Genes, president of European operations, Trend Micro, said in a statement: "This illustrates that computer users should not be lulled into a false sense of security by the relative lack of virus activity over the last few months. This time the virus writers have hit back with a particularly destructive worm, against which users can protect themselves -- by deploying an up-to-date anti-virus software and by being vigilant."

Antivirus firms such as Symantec, Kaspersky and Sophos have posted further information and protection. See your antivirus vendor's Web site for more information.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
46 out of 95 people found this useful


In association with HP

Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Security threats


Company/Topic Alerts

Create a new alert from the list below:







Related BlackBerry Resources

Protecting the BlackBerry Device Platform Against Malware

BlackBerry Devices with Bluetooth - Security Overview

BlackBerry Enterprise Server IT Policy

BlackBerry Enterprise Solution - Security Technical Overview

BlackBerry Enterprise Solution and RSA SecurID

CIO's Guide to Mobile Security

See All White Papers

Video icon

Video

Sentry Posts Blog

Authentication risks all too human

Risks to successful online banking identification and authentication using smartcards involve a mixture of human and technological factors, according to the European Network and Information... More

1 comment

Opera censors Chinese content

Opera has updated the Chinese version of its mobile browser to stop users accessing restricted content. Opera Mini was updated on Friday from an international to a Chinese version,... More

2 comments

Symantec website breached

Security company Symantec has said that one of its websites was successfully breached. Romanian security researcher 'Unu' posted details of the breach in a blog post on Monday. Unu... More

Post a comment


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

ALL TOOLKITS

Blogs

Newsletters