An email with the attached text picture is circulating heavily today. The message appears to be from a service provider and tells the recipient that they are infected with a virus and need to download and run the attached password protected file to fix the problem (password is embedded in the message image). The file, patch-6280.zip contains a currently unknown virus. Users should not, under any circumstances download the attachment.
The Virus is W32/Nuwar@MM, aka the Storm Worm, a security application termination virus. We first saw this worm in January. It is called the Storm Worm because the original spam/malware campaign had email ssubject lines alluding to a major storm in Europe.
It first installs a rootkit to evade detection. It then connects to a custom peer-to-peer network where the worm’s creators issue commands, such as to download additional malware, send spam or transmit personal data stolen from the victim computer. To spread itself further, the worm also searches for email addresses on the victim machine and sends itself to any discovered addresses. The worm is self-mutating. If the virus is undetected/unremoved, it opens doors for future spam and malware attacks.
Additional subject lines include:
- Virus Activity Detected!
- Worm Activity Detected!
- Trojan Detected!
- Virus Alert!
- Worm Detected!
- Spyware Detected!
- Worm Alert!
As a side note, when the emails first started circulating on Thursday, the subject lines had romantic themes (“”A kiss so gentle”, or “I dream of you”).
Title variations of the zip file include the words “patch,” “hotfix,” “removal,” and “bugfix,” followed by a random four digit number.