Britney Spears is not just a pop star – she’s a new worm squirming its way through the Web.
Like the “Anna Kournikova” and “Jennifer Lopez” e-mail worms before it, “Britney” primarily affects Microsoft Outlook and a popular Internet Relay Chat client program, but uses more social engineering to take advantage of the e-mail recipient.
Social engineering viruses rely on sensational subject lines, in this case “Britney Pics”, to tempt users.
“Even though people swore up and down after the ‘ILOVEYOU’ and ‘Kournikova’ viruses that they would never open another e-mail attachment, they do forget after some time,” says McAfee AVERT researcher Craig Schmugar. “This worm didn’t come directly after a major one, so I would expect people will get hit with this one.”
How It Works
The compiled HTML Help file contains VBScript to e-mail itself to all users in the Outlook address book using MAPI messaging. It arrives in an e-mail message containing the following information.
Subject: RE: Britney Pics
Body: Take a look at these pics …
If you open the CHM file, a Window is displayed and an Internet Explorer warning message appears on top of it.
Clicking YES infects the local system. The worm checks each directory on the C, D, and E drives for SCRIPT.INI.
If it finds one, the worm overwrites the file with mIRC instructions to send itself (from the WINDOWS directory) to IRC users who are on the same channel as the infected user. The worm is then saved to the WINDOWS directory and a registry value is queried to see if the worm has e-mailed itself to others already:
If the CHM does not equal 1, then the worm proceeds in sending itself to all users in the Outlook address book, and then setting CHM equal to 1 in the registry.
As with all other warnings, anti-virus experts say you should always be weary of attachments in your e-mail unless you are expecting it from the sender. And even then, you might want to consider calling the sender if you still are not sure.