RealTime IT News

E-Mail Worm Posing As Britney Pics

Britney Spears is not just a pop star - she's a new worm squirming its way through the Web.

The low-risk bug was identified Tuesday by anti-virus experts including the ones at Anti-Virus Emergency Response Team (AVERT), the anti-virus research division of Network Associates .

The visual basic-based worm originally named VBS/BritneyPic@MM and renamed VBS/Chick@M is currently being tracked across Europe but has the potential to spread worldwide.

The virus is currently detected with the 4150 DATs (or newer) as VBS/Generic@MM when scanning compressed files. The VBS/BritneyPic@MM name will be included in the 4189 DATs.

Like the "Anna Kournikova" and "Jennifer Lopez" e-mail worms before it, "Britney" primarily affects Microsoft Outlook and a popular Internet Relay Chat client program, but uses more social engineering to take advantage of the e-mail recipient.

Social engineering viruses rely on sensational subject lines, in this case "Britney Pics", to tempt users.

"Even though people swore up and down after the 'ILOVEYOU' and 'Kournikova' viruses that they would never open another e-mail attachment, they do forget after some time," says McAfee AVERT researcher Craig Schmugar. "This worm didn't come directly after a major one, so I would expect people will get hit with this one."

How It Works

The compiled HTML Help file contains VBScript to e-mail itself to all users in the Outlook address book using MAPI messaging. It arrives in an e-mail message containing the following information.

Subject: RE: Britney Pics
Body: Take a look at these pics ...

If you open the CHM file, a Window is displayed and an Internet Explorer warning message appears on top of it.

Clicking YES infects the local system. The worm checks each directory on the C, D, and E drives for SCRIPT.INI.

If it finds one, the worm overwrites the file with mIRC instructions to send itself (from the WINDOWS directory) to IRC users who are on the same channel as the infected user. The worm is then saved to the WINDOWS directory and a registry value is queried to see if the worm has e-mailed itself to others already:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\chm

If the CHM does not equal 1, then the worm proceeds in sending itself to all users in the Outlook address book, and then setting CHM equal to 1 in the registry.

As with all other warnings, anti-virus experts say you should always be weary of attachments in your e-mail unless you are expecting it from the sender. And even then, you might want to consider calling the sender if you still are not sure.