Antivirus vendors are warning e-mail users to watch out for a fast-spreading and potentially destructive worm, known as WORM_WINEVAR.
According to Trend Micro several cases have already been reported in France and Spain. MessageLabs first spotted the worm on 22 November and has seen around 300 copies in the last 24 hours.
It runs on all Windows platforms and propagates itself using its own Simple Mail Transfer Protocol (SMPT) engine, and sends e-mails to addresses it gathers from HTML files on the infected system.
According to Sophos, infected e-mails are likely to have the following characteristics:
From: (defaults to "AntiVirus")
Subject: (defaults to "Trand Microsoft Inc.")
Message text: " - "
Attached files:
- WINXXXX.TXT (12.6 KB) MUSIC_1.HTM
- WINXXXX.GIF (120 BYTES) MUSIC_2.CEO
- WINXXXX.PIF
The worm sends e-mail using a known exploit that causes the attachment to automatically execute when the message is viewed or previewed on Internet Explorer-based email clients, such as Microsoft Outlook and Outlook Express.
It is capable of terminating certain monitoring programs and antivirus products from memory.
If an infected machine is restarted, WINEVAR displays the message: "Make a fool of oneself: What a foolish thing you've done!"
If the 'OK' button is pressed the worm deletes all deletable files in all folders.
Raimund Genes, president of European operations, Trend Micro, said in a statement: "This illustrates that computer users should not be lulled into a false sense of security by the relative lack of virus activity over the last few months. This time the virus writers have hit back with a particularly destructive worm, against which users can protect themselves -- by deploying an up-to-date anti-virus software and by being vigilant."
Antivirus firms such as Symantec, Kaspersky and Sophos have posted further information and protection. See your antivirus vendor's Web site for more information.
