A new mass-mailing virus called Wallon, which destroys Windows media player and is activated when a user tries to play MP3 or video files from an infected PC, was discovered in Europe on Tuesday.
Traditionally, mass-mailing viruses such as Netsky and Bagle are spread as attachments. When an unsuspecting user opens the infected attachment, it executes a piece of code that usually attempts to steal the user's address book and often opens a back door to give hackers easy access to the system's resources.
Maikel Albrecht, product manager at Finnish security company F-Secure, said that because of recent virus outbreaks, users are less willing to open e-mail attachments, which is why Wallon's author is counting on users clicking on an e-mail link instead.
"The link in the e-mail points to the actual virus, so if you click the link you download the virus," said Albrecht.
However, once the PC is infected, Wallon remains dormant until the user tries to run a media file such as an MP3 or a video. If by default the system uses Windows Media Player, the virus is activated and attempts to send HTML e-mails, each with a link to the virus file, to any e-mail addresses in the computer's address book.
"If you try and play media content, the worm will activate and start spreading but the user will not see the media player," said Albrecht.
Wallon requires intervention by the user before it can replicate, so Albrecht expects it will not spread very quickly. But unlike common viruses, Wallon is destructive because it replaces the wmplayer.exe file, which means that users infected by the worm will need to reinstall Media Player.
Stuart Okin, chief security officer at Microsoft UK, said anyone worried about Wallon should install Microsoft's MS04-13 patch, which was released in mid-April and solves the problem.
Okin said that if a user has been infected and can no longer use their Media Player he or she should first ensure the system is no longer infected by the virus and then reinstall Media player either from his or her original Windows CD or from the Microsoft Web site.
Additionally, Okin said users should remain cautious about opening e-mail attachments and they should avoid clicking on links in e-mail messages whenever they can.
"When you receive a link to a Web site that you normally visit, don't click on the link, use your Favourites or type in the address in manually," he said.
MS04-013 doesn't mention WMP.
It only mentions Outlook Express.
Puzzling that this is the patch to fix WMP.
I will have to download & instal after all.