Security experts warn against opening New Year-related messages to ward off this fast-moving worm, which disables Windows firewall and several security programs.

Gregg Keizer, Contributor

December 29, 2006

1 Min Read

A rootkit-cloaked worm is being heavily spammed to users as an attachment to "Happy New Year!" messages, a security researcher warned Friday.

The new worm, dubbed "Tibs" by Kaspersky Lab but pegged as a "Nuwar" variant by Trend Micro, comes disguised as a file attachment named "postcard.exe," said Ken Dunham, director of VeriSign iDefense's rapid response team, in an e-mail. Users who launch the executable will infect their PCs.

With antivirus signature updates still thin and over 160 servers spamming the new worm, the threat is significant, added Dunham. "The period of greatest risk is through the New Year's holiday, when antivirus protection is the lowest for this new threat and users are most apt to click on a 'New Year's' related message," he said. "Everyone should be on guard for e-mails and other content potentially harboring malicious code during the holiday period."

On at least one network the worm is generating as many as five spammed messages a second, iDefense reported.

The security intelligence firm's research has identified more than a dozen pieces of malicious code -- including zombie-making bot Trojans -- installed by Tibs after it has gained a foothold on a PC. Two rootkits are also installed to mask the malware from antivirus scanners, and the worm also disables the Windows firewall, as well as several security programs, including F-Secure's BlackLight rootkit scanner. The worm spreads by spamming itself to addresses it steals from the user's files.

"This is a classic iceberg threat," said Dunham, "where multiple codes are installed and then protected with rootkit technology."

About the Author(s)

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights