English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Don't be an April Fool!

Dmitry Bestuzhev
Kaspersky Lab Expert
Posted April 01, 10:07  GMT
Tags: Zhelatin
0
 

It's been clear for a long time that virus writers will take whatever opportunity they can to spread their malicious code. One popular approach is exploiting public holidays and other well-known days on the calendar – the St. Valentine's Day spam this year is a case in point.

The approach is particularly effective if the holiday is an international one – the result is an increased pool of potential victims.

Last night, on the eve of April Fool's Day, we started seeing a wave of new modifications of the notorious Zhelatin worm. At the time our mail pots started picking up on these messages, no antivirus company was detecting the latest version of the worm.

This latest attack took the usual approach:

1: Prepare the bot machines
2: Mass mail spam containing a link to a site
3: Malicious code is automatically downloaded to the victim machine when the site is viewed

One of the latest examples of such sites is shown below:

If for some reason the malicious code doesn't automatically download when the user views the page, it will be manually downloaded if the user clicks either the image or the hyperlink. The name of the malicious file varies: some of the recent examples are funny.exe, foolsday.exe and kickme.exe. The size of the file also varies depending on the precise variant of the malicious program, but it's usually around 137KB. We detect it as Email-Worm.Win32.Zhelatin

Not only do the bad guys have complete control over the bot machines, they also – naturally - keep an eye on what the antivirus world is up to. Once the most recent variant of the malicious program starts being detected, a new variant will be placed on the site. And while they're watching us, of course we're watching them, tracking the activity on such sites.

I'll close with our usual warning: make sure you keep your antivirus databases up to date, and even though April 1st is a day for fun and games, you shouldn't forget about security!


Comments

If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Alerts