Antivirus software companies have issued warnings and software updates for a new worm, Wallon, which uses deceptive web links to Yahoo.com to trick users into downloading malicious programs.
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Wallon first appeared last Friday and spreads in e-mail messages. However, antivirus companies reported increased instances of the worm on Tuesday and said users could be tricked by its e-mail messages, which do not contain virus-infected file attachments.
Symantec and Network Associates' McAfee Antivirus Emergency Response Team said Wallon was a low-level threat, although other companies, including Sophos and F-Secure Corp, said they received numerous reports of the worm.
Like other mass-mailing worms, Wallon has its own Simple Mail Transfer Protocol engine and grabs e-mail addresses from files stored on compromised computers. Wallon-generated messages arrive with subject lines that read "RE" and an HTML link to the web page http://drs.yahoo.com.
Users who click that link set off a chain of events that results in their web browser being redirected to a non-Yahoo website controlled by the virus author and designed to trigger a long-patched Internet Explorer security hole known as the "object data vulnerability".
Triggering that flaw on unpatched Windows systems, however, allows the virus to download and run a file that replaces Microsoft Windows Media Player with a malicious program that downloads the Wallon worm's main file and changes the Internet Explorer's home page to a page maintained by the virus writer, F-Secure said.
In addition to stealing e-mail addresses for the purpose of spreading itself, Wallon forwards the addresses it finds on compromised systems to another e-mail address, which could be harvesting them for spammers, McAfee said. After infection, Wallon also hijacks the victim's web browser and directs it to a pornographic website, pixpox.com.
Antivirus companies issued updated Wallon virus definitions for their products on Tuesday and Wednesday, in addition to posting tools to remove the Wallon worm.
Paul Roberts writes for IDG News Service