'Happy New Year' Worm Gains Ground
The worm, dubbed "Tibs" by Kaspersky Lab but also known as a "Nuwar" variant (Trend Micro) and "Mixor.q" (Symantec), appears as a file attachment named "postcard.exe" in messages with "Happy New Year" subject headings. Users who launch the executable will infect their PCs with rootkits, keyloggers, and other malware.
Israeli security company Commtouch reported that at times on Friday, Dec. 29, Tibs-infected messages made up nearly 12% of all e-mail sent worldwide. Rival F-Secure, meanwhile, said its data pegged the worm as accounting for 16.9% of all malicious messages, easily outdistancing long-running champs such as MyDoom and Mytob.
"This outbreak ushered out 2006 with a bang," said Haggai Carmon, Commtouch VP of products, in a statement Tuesday. "During 2006, a growing number of massive server-side polymorphic outbreaks swarmed the Internet and successfully maintained a sizable lead of several hours to weeks ahead of traditional signature-based solutions.
"What makes them so unique is that they are released in a large number of distinct and short-lived variants, making it impossible to generate one signature or heuristic rule to effectively protect against them [so] malware writers maximize their chances of infecting the largest number of machines," Carmon said.
Commtouch claimed it identified nearly 850 different variations of the worm in just five minutes last week.
Symantec, meanwhile, agreed that spammed malicious mail volume had spiked, but downplayed the threat. "Despite the volume of e-mail messages being distributed by the worm, actual infection numbers are currently quite low," the company said in a warning to customers of its DeepSight threat alert system.
Symantec recommended that users update their antivirus definitions; enterprises should filter executable (.exe) files at the gateway.