A mass-mailing worm spreading across the Internet Thursday has no malicious code or payload, but it did play on people’s need for security protection.
And that is what has anti-virus experts with Anti-Virus Emergency Response Team (AVERT) and others worried.
The The “I-Worm.Japanize” (or W32/Fbound.c@MM) worm has earned itself a “Medium On-Watch” designation due to the numerous reports of infections and the virus’ potential to spread itself quickly to other users.
“Technically, this is not an infection since there is no payload,” says McAfee.com and AVERT virus researcher April Goostree. “There was no Trojan horse or back door program included with it. This could have been a lot worse, but we released extra DATs at midnight last night, which protected our customers this morning. It was amazing how hard it hit Japan.
According to early statistics, the worm covered a fairly large percentage of the country’s computers in a short amount of time. One ISP reportedly found 3,500 copies of the worm in its servers within a 24-hour period. McAfee.com says it is monitoring the situation as it progresses.
“Even though this worm had a .EXE attachment, which traditionally we have warned people about, people were opening it because it promised a security upgrade,” says Goostree.
The worm arrives in an e-mail message containing the Subject line: “Important” or for addresses ending in .jp there is one of 16 Japanese randomly chosen language subjects. The attachment reads as: Patch.exe
The mass-mailing virus sends itself to all users found in the Windows Address book using SMTP.
The threat is detected as a ‘New Worm’ when scanning with the 4140 DATs (or newer) with Program Heuristics enabled.
As for the lack of a dangerous payload, experts doubt this is a case of script kiddies.
“We may never know,” says Goostree. “This may be an overzealous hacker that released the virus before thinking it through. But this does serve as a warning for future attacks to not open an unknown file without checking the source first.”