File-Killing Shoho Worm Reported

A virus writer out there has given the Internet a last-minute gift, in the form of a new worm, before many businesses close for the Christmas holiday.

The worm, dubbed Shoho or Welyah, spreads via its own e-mail engine, rather than through Microsoft's Outlook e-mail client as many worms do. Shoho attempts to delete files, according to antivirus firms Network Associates and Trend Micro. The worm also exploits the same vulnerability in Microsoft's Internet Explorer browser as the Badtrans worm, which first hit PCs earlier this year. This vulnerability allows the worm to execute when an infected e-mail is opened or previewed, rather than when a user double-clicks on an attachment, the companies said.

Even users who have e-mail clients other than Outlook can be affected if they double-click on attachments that are infected with Shoho.

Though both companies rank the worm as low risk, its ability to delete files makes the worm worth noting. Users should check with their antivirus companies for updates to deal with the Shoho worm.

Microsoft has posted a patch to fix the problem in Internet Explorer, which Outlook uses for some functions including previewing messages.

Disguised Attachment

Shoho arrives in in-boxes with a subject line that reads "Welcome to Yahoo! Mail," and a body message with the same text. Also included in the mail is an attachment called Readme.txt. This is actually a .pif file, however--125 spaces are inserted between the .txt and .pif extensions in an attempt to hide the file's true extension from users, Trend Micro said. NAI reports that the Readme.txt attachment is an .exe file, rather than .pif.

When the attachment is double-clicked or an e-mail containing the attachment is opened or even previewed, the worm sends itself to all addresses found in the Outlook address book. It uses its own Simple Mail Transfer Protocol engine, rather than using Outlook, Trend said. NAI, however, reports that the worm scans the infected PC's hard drive for e-mail addresses, and stores them in a file called EmailInfo.txt before it sends itself to those addresses.

Once the worm has activated, it attempts to add about a half-dozen files to the computer and delete dozens of others, the companies said. The deletion of these files could cause the computer to crash and prevent it from starting up properly afterwards, NAI said. The worm only affects Windows PCs, the companies said.