Thursday, April 12, 2007

New Worm, More Social Engineering

The Internet Storm Center is reporting a new worm making the rounds. It may be a variant of the "Storm Worm" (we use the word worm loosely here) and it is being detected as Nuwar/Zhelatin.

It's worthy of note chiefly because of the social engineering tricks it is using. The subjects of the e-mails include:

"Worm Alert!"
"Worm Detected"
"Virus Alert"
"ATTN!"
"Trojan Detected!"
"Worm Activity Detected!"
"Spyware Detected!"
"Dream of You"
"Virus Activity Detected!"

And the e-mail tries to trick users into opening the encrypted zip attachment (the password is displayed inside an image) by convincing them that the attachment will protect them from the worm. It's a true trojan horse pretending to be a gift. Be suspicious of e-mail gifts.

This worm is also of note because of the encrypted zip. This is not new ground and is in fact an old trick. A number of virus scanners have the option of blocking encrypted zip files, but most gateway devices will not block encrypted zip files due to the high number of false positives and legitimate encrypted zip files. Your desktop antivirus solution is the best thing to protect you here. That and common sense.

Note from the sponsor: eSoft's Desktop AV and Intrusion Prevention Softpaks protect customers from this threat.

No comments: