CERT warns of Mother's Day threat

The threat, which is also known as "Peido-B" or "VBS/Inor.B", arrives in an e-mail that masquerades as an administrative message.

The e-mail contains the text "THIS IS A WARNING MESSAGE ONLY YOU DO NOT NEED TO RESEND YOUR MESSAGE" and contains an executable attachment named "sys_con.hta," according to an alert posted by security firm Sophos.

When recipients launch the attachment, a trojan program known as "Troj/DLoader-BO" is installed on the user's system. Trojan programs are malicious software, often masked as legitimate programs, which secretly compromise computer security.

Troj/Dloader-BO downloads and executes a file from the website http://masteraz.hypermart.net within three days of being run for the first time and modifies the configuration of the Microsoft Windows operating system so that the program is started along with Windows, Sophos said.

The warning from CERT appeared on the organisation's web page under the heading "Current Activity," which is reserved for "frequent, high-impact types of security incidents currently being reported."

Despite the high-level warning from CERT, Carole Theriault, an antivirus consultant at Sophos, said that it had received only "a small handful" of reports of individuals whose machines had been infected by Peido-B.

Brian King, internet security analyst at CERT, said the Current Activity page is a "very informal" list of threats and is intended more for the use of the CERT community than the public.

"It's where we put information that may become advisories in the future. If we get a fair number of calls, we put it up there to help our staff... even if it's not that significant an Internet threat," he said.

CERT requires reports from multiple, dispersed sources before issuing any kind of notice or alert, King said.

It is based at the Software Engineering Institute at Carnegie Mellon University in Pittsburgh.