Although we’ve not seen too many actual attacks from this, it’s been widely reported in the media, perhaps as it’s quite a novelty these days to see a worm spreading in this way.

It spreads itself as an executable in email, but disguises itself as a PDF file, when executed it attempts to download some other malicious files on the victim machine, and drops some files in an attempt to let the worm spread via autorun.

K7 Total Security detects this worm as  ”Emailworm (0019e4ae1)” (yeah, it’s that uninteresting!)

Full information is here:

http://viruslab.k7computing.com/index.php?option=com_k7virus&view=showvirus&Itemid=1&id=818

If you’re interested in more, Dan Goodin has written a short piece about the worm on The Register http://www.theregister.co.uk/2010/09/10/email_worm_spreading/

Andrew Lee
CTO K7 Computing

Security researchers at SRI International have found that the IKee-B iPhone worm, which attacked “jailbroken” iPhones in November, turned the smartphones into botnet clients under the control of a server based in Lithuania. The worm predominantly affected iPhone users in The Netherlands, specifically targeting customers of Dutch online bank ING Direct.

Whilst warnings about malware on smartphones have been circulating for a number of years, the growth in popularity of the iPhone, which allows users much greater access to the internet than previous handsets. The popularity of the iPhone has also raised concerns, with smartphones previously considered to be something of a “niche” product.

“Unlike the previous generation of cell phones that were at their worst susceptible to local Bluetooth hijacking, modern Internet-tethered cellphones are today susceptible to being probed, fingerprinted, and surreptitiously exploited by hackers from anywhere on the internet,” claimed the report.

“Although the iKee.B botnet discussed here admittedly offers a rather limited growth potential, iKee.B nevertheless provides an interesting proof of concept that much of the functionality we have grown to expect from PC-based botnets can be easily migrated into a lightweight smartphone application. iKee.B demonstrates that a victim holding an iPhone in Australia can be hacked from another iPhone located in Hungary, and forced to exfiltrate its user’s private data to a Lithuania C&C server, which may then upload new instructions to steal financial data from the Australian user’s online bank account. While it is unclear just how well prepared smartphone users are to this new reality, it is clear that malware developers are preparing for this new reality right now.

SRI’s researchers conclude that although the Ikee-B worm is simpler than similar PC versions, it comes with the potential to evolve in something more serious.

“The iKee bot is one of the latest offerings in smartphone malware, in this case targeting jailbroken iPhones. While its implementation is simple in comparison to the latest generation of PC-based malware, its implications demonstrate the potential extension of crimeware to this valuable new frontier of handheld consumer devices.

Chinese government officials have issued the warning over the Worm_Piloyd.B worm after the virus was discovered circulating on Chinese networks.

The Tianjin-based National Computer Virus Emergency Response Centre reported that the virus infects .exe, .html and .asp files and is programmed to block users from restoring any files that are infected.

The virus also forces an infected system to download other viruses from websites and it is claimed that the worm will also be used to make an infected PC part of a wider botnet.

The warning is unusual in that it has not been issued by antivirus experts in the US or Europe but instead, from a officials in a country which has become renowned for being a breeding ground for malicious software. Research released in 2008 claimed that 44.8% of all malware-infected websites were being hosted in China.

The problem, many believe, is exasperated by the Chinese government’s secretive policy on computer usage, with strict state controls on computer usage and internet access. For example, a compulsory government firewall software program must be installed on all PCs being used in the country.

Earlier this year, a report by the US-China Economic and Security Review Commission suggested that Chinese government agencies were attempting to monitor American computer systems.

Computer users are urged to ensure that their antivirus software is kept up-to-date to minimise the risk of being affected by the worm.

In the seventh biannual Microsoft Security Intelligence Report, the software giant claims that infections from worms have more than doubled between January and June 2009, although Trojans were still the biggest cause for concern. The company also highlighted a notable increase in scareware related infections, where customers are typically persuaded into purchasing bogus antivirus software.

The report claims to have taken extensive coverage of the market, as making use of Microsoft’s comprehensive footprint on consumer as well as corporate computers and the web. Data has also been taken from the company’s Bing search engine as well as various applications, including Live OneCare, Forefront Protection for Exchange cloud service, Malicious Software Removal Tool, and Windows Defender.

The report attributes much of the increase to the ‘Conficker‘ worm, also known as Downadup or Kido and less known ‘Taterf’.

The advice from Microsoft for users was to ensure that they kept an up-to-date antivirus software programme and to exercise caution whilst online.

“We’d recommend, in addition to automatic updates, firewalls and up-to-date anti-virus, that users never log into an account unless they’re on a machine they trust, and don’t download cracks or tips unless from a trusted server,” Cliff Evans, head of Microsoft UK told V3.co.uk.

According to a statement from WordPress, a worm is currently exploiting a security hole in the software in an attempt to distribute spam and links to numerous forms of malware, including fake antivirus software.

A statement posted by WordPress on the company blog read: “This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.

“The tactics are new, but the strategy is not. Where this particular worm messes up is in the “clean up” phase: it doesn’t hide itself well and the blogger notices that all his links are broken, which causes him to dig deeper and notice the extent of the damage.”

Users who are using downloaded versions of the open source CMS to run their self-hosted site or blog have been advised to upgrade to WordPress 2.8.4, a version which includes a patch that closes this security flaw. Bloggers that are using the online version of WordPress at www.wordpress.com are unaffected by the threat, although experts would advise users to back-up their posts if possible.

WordPress has also taken the opportunity to reminded users that an upgrade could save considerable time in having to repair a blog in the event of a security breach, writing “A stitch in time saves nine. I couldn’t sew my way out of a bag, but it’s true advice for bloggers as well – a little bit of work on an upgrade now saves a lot of work fixing something later.”

Michael Mooney, a 17 year-old student from Brooklyn, New York, created a worm that exploited a security flaw in the popular social networking site to promote his own website StalkDaily.

The worm created thousands of automated tweets containing the URL to Mooney’s site and crashing the Twitter server. Since then, Twitter has also had to contend with a number of copy-cat attacks.

Mooney described the release of the malware as a “grey” attack in that it was not developed to steal data or user information

But it has now emerged that Mooney has been offered lucrative positions from two software development firms and, according to ABC, has accepted an offer with web applications developers exqSoft Solutions.

Speaking to ABC News, exqSoft CEO Travis Rowland said: “I contacted him [Mooney] after I saw what he did to Twitter and asked him,” Rowland said, adding that Mooney will be doing security analysis and Web development.

“In my opinion, he could have stored the user information on their profiles but he didn’t,” he added. “He didn’t use it to steal personal information.”

Mooney isn’t the first computer virus author to land a lucrative IT security role. Only last month Owen Thor Walker, a teenager from New Zealand, landed a job as a security consultant for a telecommunications company after helping a crime gang hack into more than one million computers worldwide, reported AP.

The latest form of the virus, which has infected an estimated 15 million users worldwide, contains an instruction to perform a particular action on April 1, although nobody is yet sure as to what, if anything, that action is.

There are also suggestions that, given the hype over the worm, we could be about to witness the internet’s biggest ever April Fool’s Day joke.

The Conficker virus, also known as Downadup or Kido, has gained notoriety in recent months due to the rate at which it has spread as well as the number of high-profile organisations that have fallen prey to it. To date, several government, military and health systems are known to have been affected by the worm including the British Houses of Parliament IT system.

The virus buries itself deep inside the Windows operating system where it can then be used to steal users’ passwords and personal information, including bank details. It sets up files and starts downloading information from a controlling server, creating a “botnet” of infected PCs.

Many security experts believe that from midnight on April 1, the Conficker program will start scanning thousands of websites for a new set of instructions telling it what to do next.

Microsoft, which has released several security updates and urged customers to update their antivirus software, has offered a $250,000 reward for information that leads to the capture and conviction of the authors of the virus.

If you feel that you have been infected by the worm, download the free Conficker removal tool.

The Conficker has spread widely in recent months, with as many as 10 million PCs affected since a mass outbreak last month, including several high-profile systems including the UK National Health System and MoD.

The worm, also known as Downadup or Kido, spreads through a hole in Windows systems, exploiting a vulnerability that Microsoft patched in October. The spread of the virus was aided by the growing use of USB flash drives and external network devices.

General Manager of the Trustworthy Computing Group at Microsoft George Stathakopoulos said that the company would not tolerate the release of illegal malware which attacked their customers.

“As part of Microsoft’s ongoing security efforts, we constantly look for ways to use a diverse set of tools and develop methodologies to protect our customers,” said Mr Stathakopoulos. “By combining our expertise with that of the broader community we can expand the boundaries of defence to better protect people worldwide.

“Microsoft’s approach combines technology innovation and effective cross- sector partnerships to help protect people from cybercriminals. We hope these efforts help to contain the threat posed by Conficker, as well as hold those who illegally launch malware accountable.”

Microsoft has previously offered such rewards on two previous occasions. In 2003, the company offered a reward of $500,000 for the conviction of the author of the Blaster and Sobig worms and in May 2004 the software giant paid $250,000 to a group of German students whose classmate, Sven Jaschan, was the author of the Sasser and Netsky worms.

The figure makes it the worst outbreak of any form of malware since the Slammer worm outbreak back in 2003.

Whilst surveys have shown that Asia and Latin America have been the most badly affected by the outbreak of the worm, some 3,000 organisations have been affected by the virus – including the Ministry of Defence as well as a number of NHS Trusts and local authorities.

Around 3m PC’s are believed to have been affected by the worm, also known as Kido or Downadup, since Thursday alone. On Wednesday it was revealed that the worm is exploiting a weakness in the Beta release of Windows 7.

The spread of the worm has been largely attributed to the widespread use of USB sticks, which become infected with the worm before then being transferred to another PC.

Experts think a new variant is responsible for the recent outbreak, which has shot up from 2.4m infected computers on 15 January and are urging users to update their antivirus software and install Microsoft patch MS08-067.

K7 Computing has also released a free tool to remove the worm from already infected PC’s. The tool can be downloaded here.