A huge virus surge of a new Storm Worm variant is flooding e-mail inboxes and evading many antivirus programs. In my tests of 31 programs, only four reported a virus.
Postini, an e-mail security company, says that over the last 24 hours it has seen about 55 million virus e-mails, about 60 times the daily average. The first e-mails had romance-themed subjects: "A kiss so gentle," or "I dream of you," for instance. The latest batch attempts to fool readers--with subjects like "Worm Alert!" or "Virus Alert!"--into thinking they are already infected and need to apply a supplied patch--an attached virus.
We received one such virus e-mail here at PC World, titled "Worm Alert!" The e-mail included a text message embedded in an image, which makes it easier to evade antispam tools. The attachment was a password-protected archive named 'patch-7594.zip,' with the password contained in the image's text.
At 2:30 p.m. I uploaded the attachment to Virustotal.com, which uses many different antivirus programs to scan uploads. Of 31 programs, only 4--ClamAV, eSafe, Kaspersky, and Symantec--reported a virus.
According to Postini, double-clicking the attachment unleashes a succession of modern malware attack methods. First, a rootkit will attempt to hide the malware from both human and antivirus scans. Then the worm will attempt to disable antivirus programs. Next, the worm connects to a custom peer-to-peer network used by the worm's creators to issue commands. Those commands might be to download additional malware, send spam, or transmit personal data stolen from the victim computer.
Finally, to spread itself further, the worm searches for e-mail addresses on the victim machine and sends itself to any discovered addresses. The worm is self-mutating, according to Postini, changing e-mail subject lines, attachment file names, and malware characteristics in order to evade antivirus and antispam programs.
Cloudmark, another e-mail security company, says it sees similar outbreak numbers. Today's flood is ten times as large as one this past Sunday, which also involved the virulent Storm Worm.
A Growing Storm
First seen in January, the Storm Worm was originally named for subject lines such as "230 dead as storm batters europe." It created its own virtual storm with 42,000 different variants over a 12-day period, according to security company Commtouch. The huge number of variations was meant to confound traditional signature-based antivirus protection, which must know about each variant to protect against it.
To stay safe from today's ongoing worm surge, exercise extreme caution with any unexpected e-mail attachments, even if they seem to come from someone you know. Also, be sure your antivirus software is up-to-date. Though most antivirus programs are currently missing at least some of the variants, the companies will update their signatures as the attack progresses.