New Worms Threaten Outlook, Shockwave Users

The worms are getting worse. Security experts warned Friday that a new variant of the mass-mailing worm "W.32Navidad" virus is now on the loose, and they say another worm that disguises itself as a Shockwave Flash movie is also becoming more problematic.

Symantec's Antivirus Research Center initially reported the W.32Navidad worm, which affects Microsoft's Outlook e-mail application, in early November. The first W.32Navidad worm would launch only once and would insert itself in a reply to all e-mail messages with attachments in the user's in-box. A new version has emerged, however, that launches each time the user activates the e-mail program.

"We are seeing a variant of the original Navidad out there," says Vincent Weafer, director of Symantec's Antivirus Research Center. "We are definitely seeing this in the wild. Right now, we have it down as a low to medium risk. We are not seeing a huge number of infections, but we do expect that to increase." He added that any time a virus works as a mass mailer, the potential for infection is high.

Shockwave Worm Gets Serious

Trend Micro, meanwhile, also reports that TROJ_SHOCKWAVE.A, a new e-mail spamming worm, is out in the wild.

The worm arrives in an e-mail message with a line that reads, "A great Shockwave flash movie." It contains an attachment with the filename Creative.exe. The file size is 36,864 bytes. When a user tries to view the movie attachment, the worm sends a copy of itself to all people in the address book of the user's Outlook program, potentially clogging e-mail networks.

The worm doesn't destroy files on a user's computer but renames all files of the JPEG and ZIP type and moves them to the PC's root directory, said Patrick Nolan, a virus researcher with McAfee's Anti-Virus Emergency Response Team (AVERT).

McAfee says it has received more than 50 reports of the virus in the past 24 hours, most of which are from corporations, including several Fortune 500 companies. The unusually high number of reports prompted the company to upgrade the virus from medium risk to high risk late Friday afternoon.

Brazilian Worm Also Strikes

Symantec is reporting that it has received a low-risk worm called Afeto this week. Like Navidad, Afeto comes in through Microsoft Outlook and it attaches itself to e-mail. The worm regenerates by attaching itself to e-mail messages and going to a small number of addresses.

"This one originates from Brazil. It is in the wild, but it is certainly not the most infections we are seeing," Weafer says.

According to Trend Micro, Afeto is triggered when it is in memory and a document is open. This virus also sorts JPEG graphics files that are less than 200,000 bytes in size. Then it attaches various JPEG files together until the file size is 50,000 bytes. It propagates via e-mail by sending itself as an attachment to every list in the Outlook address book of the infected user. Symantec and McAfee are currently classifying Afeto as a low-risk worm.

During a talk in September a Symantec executive noted that worm infections are on the rise. For more information on viruses, see PCWorld.com's recent special report on this topic.