'Happy New Year' Worm Spawns Computer Zombies

VeriSign (Nasdaq: VRSN) is warning that the message may appear to come from a well-wisher but actually contains a worm that could invade your computer and use it for malicious purposes.

The Happy New Year worm is being heavily spammed at a rate of five e-mails per second on at least one large network, VeriSign iDefense Labs revealed Thursday. Multiple large networks reported interceptions of the new e-mail threat on Dec. 28, 2006.

Making Computer Zombies

The worm is similar to other holiday attacks that security researchers reported earlier this month; in this case, it contains a file attachment called "postcard.exe" that users must download in order to infect their computers.

As of Wednesday, this was considered a new and largely undetected threat, according to Ken Dunham, director of VeriSign iDefense Intelligence Operations.

"If [the attachment is] executed, malicious code variants from Tibs, Nuwar, Banwarum, and Glowa variants are installed on the computer. It then performs a mass mailing from an infected computer," Dunham told TechNewsWorld.

The worm turns the machine into a "zombie" that has been taken over via remote control software and then sends large volumes of spam.

Holiday Triage

VeriSign iDefense Labs performed a triage analysis of the threat and found that over a dozen codes from several worm and Trojan horse families were installed on computers. The worm is being spread via 160 e-mail servers.

Two rootkit files are installed in the attack, making it difficult to detect infection because the worm remains hidden from the system.

A rootkit is a hacker security tool that captures passwords and message traffic to and from computers. Rootkits can give hackers a back door into a system or collect information on other systems on a network.

"This new threat is a classic iceberg threat, where multiple codes are installed and then protected with rootkit technology," Dunham claimed.

'Tis the Season for Malware

It has been a busy season for holiday malware. A Christmas-themed jigsaw puzzle made the rounds earlier this week -- called "Christmas_Puzzle.exe," it cloaks the "Ardamaz-E" Trojan, which also uses rootkit technology to hide itself within infected computers.

A PowerPoint file called "Christmas+Blessing-4.ppt" exploits a vulnerability in the Internet Explorer browser to deposit malicious code on vulnerable Windows machines. This particular exploit was embedded in an innocent Christmas-themed PowerPoint slide slow that was circulating on the Internet before the holiday, according to security firm F-Secure .

"Christmas.exe" is another e-mail attachment that transforms target machines into zombies, giving hackers complete control.

Self-Preservation Tactics

Security researchers are warning users not to open e-mail attachments from sources they don't recognize, and to keep operating systems and antivirus programs up to date.

"The period of greatest risk is through the New Year holiday, when antivirus protection is the lowest for this new threat and users are most apt to click on a New Year's-related message," Dunham concluded. "Everyone should be on guard for e-mails and other content potentially harboring malicious code during the holiday period."