BawA
05-14-2004, 09:24 AM
Antivirus software companies issued warnings and software updates on Tuesday and Wednesday for a new worm, Wallon, that uses deceptive Web links to Yahoo.com to trick users into downloading malicious programs.
Wallon first appeared last Friday and spreads in e-mail messages. However, antivirus companies reported increased instances of the worm on Tuesday and said users could be tricked by its e-mail messages, which do not contain virus-infected file attachments.
Symantec Corp. and Network Associates Inc.'s (NAI's) McAfee Antivirus Emergency Response Team said Wallon was a low-level threat. However, other companies, including Sophos PLC and F-Secure Corp., said they received numerous reports of the worm.
Like other mass-mailing worms, Wallon has its own SMTP (Simple Mail Transfer Protocol) engine and grabs e-mail addresses from files stored on compromised computers. Wallon-generated messages arrive with subject lines that read "RE" and an HTML (Hypertext Markup Language) link to the Web page http://drs.yahoo.com, according to antivirus companies.
Users who click that link set off a chain of events that results in their Web browser being redirected to a non-Yahoo Web site controlled by the virus author and designed to trigger a long-patched Internet Explorer security hole known as the "object data vulnerability." Triggering that flaw on unpatched Windows systems, however, allows the virus to download and run a file that replaces Microsoft Corp.'s Windows Media Player with a malicious program that downloads the Wallon worm's main file and changes the Internet Explorer's home page to a page maintained by the virus writer, F-Secure of Helsinki said.
In addition to stealing e-mail addresses for the purpose of spreading itself, Wallon forwards the addresses it finds on compromised systems to another e-mail address, which could be harvesting them for spammers, NAI said. After infection, Wallon also hijacks the victim's Web browser and directs it to a pornographic Web site, pixpox.com, NAI said.
Antivirus companies issued updated Wallon virus definitions for their products on Tuesday and Wednesday, in addition to posting tools to remove the Wallon worm.
Wallon first appeared last Friday and spreads in e-mail messages. However, antivirus companies reported increased instances of the worm on Tuesday and said users could be tricked by its e-mail messages, which do not contain virus-infected file attachments.
Symantec Corp. and Network Associates Inc.'s (NAI's) McAfee Antivirus Emergency Response Team said Wallon was a low-level threat. However, other companies, including Sophos PLC and F-Secure Corp., said they received numerous reports of the worm.
Like other mass-mailing worms, Wallon has its own SMTP (Simple Mail Transfer Protocol) engine and grabs e-mail addresses from files stored on compromised computers. Wallon-generated messages arrive with subject lines that read "RE" and an HTML (Hypertext Markup Language) link to the Web page http://drs.yahoo.com, according to antivirus companies.
Users who click that link set off a chain of events that results in their Web browser being redirected to a non-Yahoo Web site controlled by the virus author and designed to trigger a long-patched Internet Explorer security hole known as the "object data vulnerability." Triggering that flaw on unpatched Windows systems, however, allows the virus to download and run a file that replaces Microsoft Corp.'s Windows Media Player with a malicious program that downloads the Wallon worm's main file and changes the Internet Explorer's home page to a page maintained by the virus writer, F-Secure of Helsinki said.
In addition to stealing e-mail addresses for the purpose of spreading itself, Wallon forwards the addresses it finds on compromised systems to another e-mail address, which could be harvesting them for spammers, NAI said. After infection, Wallon also hijacks the victim's Web browser and directs it to a pornographic Web site, pixpox.com, NAI said.
Antivirus companies issued updated Wallon virus definitions for their products on Tuesday and Wednesday, in addition to posting tools to remove the Wallon worm.