Over the past two days, Security Response has observed an increase in detections of W32.Ackantta.B@mm and subsequently, Trojan.Vundo.
W32.Ackantta.B@mm is a mass-mailing worm that gathers email addresses from a compromised computer and spreads by copying itself to removable drives and shared folders. Trojan.Vundo is typically installed by visiting a Web site link that is contained in a spam email. However, we've observed that W32.Ackantta.B@mm actually emails a zipped file containing a copy of a Trojan.Vundo dll.
The worm may arrive on the computer as “postcard.pdf.exe,” with a snowman icon:
Once the worm is executed, it may display an image of cartoon animals such as the following image:
Yet again, attackers are taking advantage of the global economic environment by using social engineering to entice users to open malicious email attachments. Some of the observed subjects include the following:
Job offer from Coca Cola!
Thank you for your application
The attackers have also attempted to appeal to the desire for friendship by using the time-tested technique of malicious e-card subjects, such as the following:
You have got a new E-Card from your friend!
You have received A Hallmark E-Card!
In particular, we've observed the attachments listed below. We expect that—as is common with social engineering techniques—these attachments could change:
copy of your CV.zip
e-card.zip
job-application-form.zip
postcard.zip
As a result of this increased activity, we've released more aggressive heuristics that detect and block hundreds of Trojan.Vundo variants. We have also increased the Risk Level of Trojan.Vundo from Level 1 to Level 2.
Based on our submission data, it appears that the worst of this attack is behind us, as detection levels appear to be decreasing. We plan to keep a vigilant eye on the current activities and any new developments. Stay tuned.
Note: My thanks to Angela Thigpen for her assistance with the research on this threat and information provided in this article.
Update (March 2, 2009): Please review our previously published article regarding spam attacks on job seekers. A recent spam campaign is attempting to distribute zipped files that include malicious code samples such as Trojan.Vundo, discussed above. Both articles discuss the ever-present threat of social engineering tactics that attackers use in their attempts to entice users to download and/or open malicious programs.
Message Edited by Trevor Mack on 03-02-2009 07:50 AM