‘Tis The Season To Be Jolly

As is customary every year, SophosLabs analysts brace themselves for the onslaught of various malware/spam campaigns during the Christmas period.

This year, someone has gotten off to an early start by releasing a mass-mailing worm in the form of W32/AutoRun-NZ.

This mass-mailing worm is very similar to the old W32/MyDoom family of mass-mailing worms except that it also incorporates functionality to spread via removable media (like USB keys).

A typical e-mail sent out by the worm looks like this:


Looking at the message, it appears to be coming from Hallmark but it’s actually a ruse to get the user to open the file attachment (containing the worm) whereupon the worm will begin execution and infect the computer.

Of particular note is how the origin of the e-mail message was deliberately spoofed (making it appear as if the e-mail came from Hallmark). This serves as a timely reminder that users should constantly exercise great caution when opening file attachments and especially those that contains file executables, even if they are from people you know or from what appear to be legitimate domains.

As always, during the Christmas period, it is wise to maintain a high level of vigilance and to ensure that your anti-virus signatures are updated regularly. Remember, malware authors do not take holidays. In fact, it is far more likely that they will make use of this period to create and release more malware.

Incidentally, the malware author also saw fit to leave a message embedded within the code. The message reads ‘(I’m w32.painkiller v0.7c and skullfucking the AV/SEC industry ho-ho-ho)’. I’m so impressed. Not.