1. Tech

Your suggestion is on its way!

An email with a link to:

http://antivirus.about.com/library/weekly/aa121901a.htm

was emailed to:

Thanks for sharing About.com with others!

Christmas.exe
Political worm disguised as holiday greeting
 Related Resources
• Vulnerable Security
• Infected Attachments
• Virus Encyclopedia
• Glossary of terms
 

During the holidays, email often carries legitimate holiday greetings from friends and family. Sadly, these greetings may carry a bitter payload hidden within the Christmas cheer. Arriving in an email with the subject line of "Happy New Year", the attached "Christmas.exe" uses an icon from Macromedia® Flash™

in an attempt to trick users into opening the file. However, the file is really a malicious virus written in Visual Basic 5 that delivers a nasty payload along with a political message. The payload consists of disabling the keyboard, deleting security software, and deleting files in the C:\Windows\System subdirectory. This follows a trend set by other recent worms, wherein certain antivirus and firewall software is disabled on the system, leaving infected users vulnerable to further threat. The article "How Vulnerable is Your Security?" discusses the ease with which recent worms have disabled security software.

Dubbed W32/Maldal.c@MM by antivirus vendor McAfee, Keyluc by antivirus vendor F-Secure, and W32.Reeezak.A@mm by antivirus vendor Symantec, the worm is also reportedly known as W32.Zacker.C@mm. The worm arrives in an email with the following characteristics:

Subject: Happy New Year
Body:
Hii,
I can't describe my feelings
But all I can say
is Happy new year :-)
bye
Attachment: Christmas.exe

If Christmas.exe is opened, the worm will display a graphic of Santa Claus and a reindeer. Behind the scenes, the worm is busy collecting addresses from Outlook and MSN Messenger, sending the same email to any contacts found. The worm copies itself to the Windows directory and adds itself as Zacker="C:\windows\christmas.exe to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key, causing it to be started each time Windows starts. The worm then disables the keyboard, deletes files found in the Windows\System directory, and changes Internet Explorer's homepage to that of an infected Geocities website. The website displays a political message critical of U.S. President Bush. The virus also includes anti-Jewish and other political messages.

The infected page exploits the Microsoft® VM ActiveX control vulnerability (MS00-075), allowing further infected files to be created on the visitor's machine. These files are automatically executed by the virus, which then attempts to delete a variety of security software from the infected user's machine and send a second mass-mailing consisting of a link to the infected website with the subject line: Very Important!

Roger Thompson, Director of Malicious Code Research for TruSecure Corporation warns, "I think most people understand that it's dangerous to open mail from strangers, but they also have to understand that all mass mailers come from someone you know. People simply have to stop trusting everything they get." Roger's advice should be taken to heart this holiday season, as it is clear from this worm that virus writers mean to play Grinch.

Next page > Removing the Worm > Page 1, 2, 3
You can opt-out at any time. Please refer to our privacy policy for contact information.

©2014 About.com. All rights reserved.