Destructive Holiday Worm Circulating

A destructive worm that began circulating in Europe and the United States early Wednesday hides behind a holiday cheer message, then distributes itself to an Outlook contacts list and delivers a destructive payload.

The worm could be a social-engineering nightmare because many users drop their guard for holiday messages from friends and co-workers, a virus expert warned.

According to Computer Associates, the worm has the subject "Happy New Year" and the message body reads:
I can't describe my feelings
But all i can say is
Happy New Year :)

A 37 KB attachment called "Christmas.exe" carries a Flash Animation icon.

Once the attachment is activated, the message sends itself to all entries in an Outlook contacts list, disables several keys on the keyboard, modifies the registry and deletes files in the Windows System directory.

CA rates the worm a medium to high risk. That threat assessment is much higher than that of some competitors, including Trend Micro, which rates it as low risk.

Ian Hameroff, the director for antivirus solutions at CA, explains that his company gave a higher threat rating for the worm because of its social engineering component.

"It's themed around the holidays. It looks like it's bearing New Year's tidings. Someone may let their guard down, thinking it's a card, even though they've been told numerous times not to touch the hot stove, the hot stove being suspicious executables," Hameroff says.

Hameroff also notes that although the technique is not new, the wide spread of several similar worms in the second half of this year shows that users are far from immune to such worms. He estimates that the worm has the potential to infect thousands of computers.

CA calls the worm W32/Reeezak.worm. Trend Micro calls it Worm_Maldal.C with aliases of Kerzac.A or Kerzac.

A user can interrupt the memory resident program by pressing CTRL-ALT-DEL keys, selecting "sm56hlpr" and clicking "End Task," according to Trend Micro.

But due to the destructive nature of the worm, infected systems can be damaged so severely that they require restoration from backup or reinstallation.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Microsoft Previews Microsoft Teams for Linux

    Microsoft on Tuesday announced a "limited preview" release of Microsoft Teams for certain Linux desktop operating systems.

  • Hyper-V Architecture: Some Clarifications

    Brien answers two thought-provoking reader questions. First, do Hyper-V VMs have direct hardware access? And second, how is it possible to monitor VM resource consumption from the host operating system?

  • Old Stone Wall Graphic

    Microsoft Addressing 36 Vulnerabilities in December Security Patch Release

    Microsoft on Tuesday delivered its December bundle of security patches, which affect Windows, Internet Explorer, Office, Skype for Business, SQL Server and Visual Studio.

  • Microsoft Nudging Out Classic SharePoint Blogs

    So-called "classic" blogs used by SharePoint Online subscribers are on their way toward "retirement," according to Dec. 4 Microsoft Message Center post.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.