Danish security firm SophosLabs is warning users to beware a new e-mail virus that poses as breaking news stories about the supposed arrest of the author of the MyDoom worm, the capture of Osama bin Laden or conspiracy theories about the death of the late Pope John Paul II. Analysts said social engineering worms like this one are not going away.
The W32/Kedebe-F worm spreads itself via e-mail using a wide variety of different subject lines and message bodies. Users who fall for its various tricks and launch the attached file risk disabling their security software and passing the infection on to other computer users.
The good news is, this worm is not reported to be spreading widely.
The Set-Up
“Hackers are constantly trying to dupe computer users into running malicious code with the promise of breaking news stories,” said Graham Cluley, senior technology consultant for Sophos. “Using the late Pope’s name is a sick trick designed to fool the unwary. Everyone should exercise extreme caution, run up-to-date anti-virus software and ensure they never run unsolicited e-mail attachments.”
The W32/Kedebe-F worm sends many different messages, possibly to take users off guard or tap into a special interest. Some texts claim Michael Jackson has died, Osama bin Laden been captured by U.S. soldiers or Microsoft has arrested the author of the MyDoom worm.
One message reads: “Someone sent me this document which is stolen from a secret government body and deals about John Paul’s death. It says he was killed by two ‘doctors’ who were hired by some government bodies. The text attached contains all the story behind his death and who these doctors are.”
Clicking on the attached file launches the worm, disabling security software installed on the computer and spreading the virus to other Internet users via e-mail and peer-to-peer file-sharing networks.
“Internet criminals have no respect for taste and decency. All they’re interested in is making money, and [making] other computer users’ lives a misery,” Cluley said. “We wouldn’t be surprised to see other public figures having their names abused by virus writers and spammers in the future.”
Social Engineering Worms Its Way In
Ken Dunham, the director of malicious code research at iDefense, a Reston, Va.-based threat intelligence firm, told TechNewsWorld that ever since the dawn of MyDoom, it’s been clear that user interaction, a.k.a. Social engineering, worms are very successful.
“User interaction worms are here to stay and we are going to see more of those, especially variances of MyDoom or code that is taken from MyDoom,” Dunham said. “Everyone should have an idea of how e-mail worms work, especially the MyDoom family and characteristics of MyDoom-like worms and recognize that there is a risk associated with opening up various attachment types, especially executable files.”