Destructive Holiday Worm Circulating
- By Scott Bekker
A destructive worm that began circulating in Europe and the United States early Wednesday hides behind a holiday cheer message, then distributes itself to an Outlook contacts list and delivers a destructive payload.
The worm could be a social-engineering nightmare because many users drop their guard for holiday messages from friends and co-workers, a virus expert warned.
According to Computer Associates, the worm has the subject "Happy New Year" and the message body reads:
I can't describe my feelings
But all i can say is
Happy New Year :)
A 37 KB attachment called "Christmas.exe" carries a Flash Animation icon.
Once the attachment is activated, the message sends itself to all entries in an Outlook contacts list, disables several keys on the keyboard, modifies the registry and deletes files in the Windows System directory.
CA rates the worm a medium to high risk. That threat assessment is much higher than that of some competitors, including Trend Micro, which rates it as low risk.
Ian Hameroff, the director for antivirus solutions at CA, explains that his company gave a higher threat rating for the worm because of its social engineering component.
"It's themed around the holidays. It looks like it's bearing New Year's tidings. Someone may let their guard down, thinking it's a card, even though they've been told numerous times not to touch the hot stove, the hot stove being suspicious executables," Hameroff says.
Hameroff also notes that although the technique is not new, the wide spread of several similar worms in the second half of this year shows that users are far from immune to such worms. He estimates that the worm has the potential to infect thousands of computers.
CA calls the worm W32/Reeezak.worm. Trend Micro calls it Worm_Maldal.C with aliases of Kerzac.A or Kerzac.
A user can interrupt the memory resident program by pressing CTRL-ALT-DEL keys, selecting "sm56hlpr" and clicking "End Task," according to Trend Micro.
But due to the destructive nature of the worm, infected systems can be damaged so severely that they require restoration from backup or reinstallation.
Scott Bekker is editor in chief of Redmond Channel Partner magazine.