Antivirus software companies issued warnings and software updates on Tuesday and Wednesday for a new worm, Wallon, that uses deceptive Web links to Yahoo.com to trick users into downloading malicious programs.
Wallon first appeared last Friday and spreads in e-mail messages. However, antivirus companies reported increased instances of the worm on Tuesday and said users could be tricked by its e-mail messages, which do not contain virus-infected file attachments.
Symantec Corp. and Network Associates Inc.'s (NAI's) McAfee Antivirus Emergency Response Team said Wallon was a low-level threat. However, other companies, including Sophos PLC and F-Secure Corp., said they received numerous reports of the worm.
Like other mass-mailing worms, Wallon has its own SMTP (Simple Mail Transfer Protocol) engine and grabs e-mail addresses from files stored on compromised computers. Wallon-generated messages arrive with subject lines that read "RE" and an HTML (Hypertext Markup Language) link to the Web page http://drs.yahoo.com, according to antivirus companies.
Users who click that link set off a chain of events that results in their Web browser being redirected to a non-Yahoo Web site controlled by the virus author and designed to trigger a long-patched Internet Explorer security hole known as the "object data vulnerability." Triggering that flaw on unpatched Windows systems, however, allows the virus to download and run a file that replaces Microsoft Corp.'s Windows Media Player with a malicious program that downloads the Wallon worm's main file and changes the Internet Explorer's home page to a page maintained by the virus writer, F-Secure of Helsinki said.
In addition to stealing e-mail addresses for the purpose of spreading itself, Wallon forwards the addresses it finds on compromised systems to another e-mail address, which could be harvesting them for spammers, NAI said. After infection, Wallon also hijacks the victim's Web browser and directs it to a pornographic Web site, pixpox.com, NAI said.
Antivirus companies issued updated Wallon virus definitions for their products on Tuesday and Wednesday, in addition to posting tools to remove the Wallon worm.
