Weekly Report on Viruses and Intruders – Spamta worm, Microsoft VML vulnerability
This week’s report from Panda Software looks at the appearance of numerous variants of the Spamta worm, -in particular, the CY variant- as well as the Microsoft VML vulnerability (MS06-055).
Earlier this week, PandaLabs detected mass-mailing of spam messages with files infected with the Spamta.CY worm. The messages containing this worm have variable subjects, chosen at random from a list of options. The message text includes a warning to users that emails are supposedly being sent out from their computer because of a malicious code infection. In some cases there is no message text.
The attachment name is also variable (e.g. doc.dat.exe, body.zip or test.elm.exe), and this is the file that contains Spamta.CY. If run, the worm opens Windows Notepad and displays a series of garbled characters. At the same time, it looks for email addresses on the system, and sends itself out to them using its own SMTP engine.
Less than 24 hours after the appearance of Spamta.CY, PandaLabs detected 12 new variants of this family of worms. It would seem that the creator of these worms is trying to distribute as many variants as possible in order to increase the possibility of computers being infected.
The new variants of Spamta detected are similar to each other and are designed to be sent out rapidly by email. However, the creator of the worm may well make modifications to new variants, introducing more dangerous functions, a common practice among malware creators.
The MS06-055 Microsoft vulnerability has been classified as critical. It affects Vector Markup Language (VML), in computers with Windows 2003/XP and versions 5.01 and 6 of Internet Explorer in computers running Windows 2000. Vector Markup Language (VML) is an XML application to simplify development of vector graphics using attributes and short descriptive tags.
Successful exploitation of this vulnerability allows hackers to gain remote control of the affected computer, with the same privileges as the logged on user. Therefore, if the affected user had administrator rights, the hacker would have complete control of the system. So far, this vulnerability has been exploited through specially-crafted web pages.
If you have a computer with Windows 2003/XP/2000, it is advisable to download and install the Microsoft security patch that fixes this problem.