December 29, 2006
A rootkit-cloaked worm is being heavily spammed to users as an attachment to "Happy New Year!" messages, a security researcher warned Friday.
The new worm, dubbed "Tibs" by Kaspersky Lab but pegged as a "Nuwar" variant by Trend Micro, comes disguised as a file attachment named "postcard.exe," said Ken Dunham, director of VeriSign iDefense's rapid response team, in an e-mail. Users who launch the executable will infect their PCs. With antivirus signature updates still thin and over 160 servers spamming the new worm, the threat is significant, added Dunham. "The period of greatest risk is through the New Year's holiday, when antivirus protection is the lowest for this new threat and users are most apt to click on a 'New Year's' related message," he said. "Everyone should be on guard for e-mails and other content potentially harboring malicious code during the holiday period." On at least one network the worm is generating as many as five spammed messages a second, iDefense reported. The security intelligence firm's research has identified more than a dozen pieces of malicious code -- including zombie-making bot Trojans -- installed by Tibs after it has gained a foothold on a PC. Two rootkits are also installed to mask the malware from antivirus scanners, and the worm also disables the Windows firewall, as well as several security programs, including F-Secure's BlackLight rootkit scanner. The worm spreads by spamming itself to addresses it steals from the user's files. "This is a classic iceberg threat," said Dunham, "where multiple codes are installed and then protected with rootkit technology."
About the Author(s)
You May Also Like
Cloud Crisis Management: Tech Insights Report
Solution Brief: Fortinet FortiFlex Delivers Usage-Based Security Licensing That Moves at the Speed of Digital Acceleration
The New Frontier of Cyber Security: Securing the Network Edge
Ultimate Guide to the CISSP
Top Six Recommendations to Improve User Productivity with a Hybrid Architecture