This is no April Fool’s Day joke

I wish I could have some humorous comment or a joke to mark the day. Unfortunately I have something more serious to write about.

Symantec Security Response has detected a new worm in the wild: W32.Fubalca.It infects executables and HTML-type files, inserting links tomalicious Animated Cursor files, and exploits the currently unpatchedMicrosoft Windows Cursor And Icon ANI Format Handling Remote BufferOverflow Vulnerability (BID 23194) to download further copies of the worm.

The worm infects executables on all drives (including removabledrives), except for the drive that Windows is installed upon (e.g.C:\). As well as exploiting the vulnerability, the worm appears tospread through removable drives and already-mapped network shares.

The malicious Animated Cursor files are detected as Trojan.Anicmoo.W32.Fubalca injects its code into executables and downloads a settingfile which contains a list of URLs to download further files from. Atthe time of writing, the downloaded files are game infostealers, suchas Infostealer.Gampass and Infostealer.Perfwo, which indicates the ultimate purpose of this worm is to steal online game accounts.

The worm was brought to our attention by the Chinese InternetSecurity Response Team (CISRT) who kindly sent us some samples. Theyhave a good analysis on their blog, which I recommend you read to complement our own description.

The detection for W32.Fubalca is available in Rapid Releasedefinitions dated 03/31/2007 (revision 34) onwards and will be includedon today’s certified virus definitions.

This vulnerability has not been patched yet, so please be extracareful and refrain from opening files received from untrusted sources.Keep your antivirus up-to-date and follow safe computing practices. At the end of the day, you will be the subject of the joke if you catch an infection in a day like this.