PandaLabs has detected an email message claiming to be a special Christmas offer from McDonald’s, but which really spreads the P2PShared.U worm. The email subject is “Mcdonalds wishes you Merry Christmas!”, while the message text reads as follows:
To make the message look more authentic, the sender’s address shows the “mcdonalds.com” domain. The message also contains a drop-down menu for the targeted user to choose their country, a cunning detail given the fact the emails claim to come from a multinational company such as McDonald’s.
This malicious code also uses a different set of emails to spread. In this case, the message subject is “You have recieved (sic) a Hallmark E-Card from your friend”.
The message text prompts users to download and run the attached message in order to open the card.
In both cases, if the user follows the instructions in the email, downloads the attachment and tries to open it, they will actually be downloading a copy of P2PShared.U and will install it on their computer.
Once on the computer, the worm sends out emails with the same subject and appearance to other users.
Finally, it copies itself to folders of various P2P file-sharing programs (eMule, LimeWire, Morpheus, etc.) with names relating to security software, image editing programs, program cracks, etc. This way, any user that tries to download any of these applications will be actually letting a copy of the worm into their computer.
To avoid these infections Panda advises users not to open messages from unknown senders, and in particular, not to open any attachments they might contain or click any links in them.