Spamta.CY Worm Infects PCs Through Spam Mails

Security experts at Panda Labs detected a spam mail currently circulating that contains a file infected with Spamta.CY Worm. Millions of computer users have installed Panda Labs' security software called "TruPrevent" technology. Through the worldwide network of this sensor, the security firm was able to find many cases in which the worm had attacked its users' computers.

The e-mail messages containing Spamta.CY Worm use different subjects selected at random. They could be "Error", "Hello", "Good day", "Mail Delivery System", "Mail Transaction Failed", "Mail Server Report", or "Test & Picture Status". The message body is usually empty or contains a warning that the recipient's PC is infected with some malware.

The message has two versions. The first one says that the recipient's firewall has determined the e-mail containing the worm. It then says that such e-mails are common these days and the virus is of a new kind (Network Worms). It also says that the virus exploits a new vulnerability in Windows that can infect the computer without the knowledge of the user. The message claims that after getting hooked to a computer, the virus collects all e-mail ids of the user's address book and sends its copies to all the addresses. It, therefore, asks the recipient to install anti-virus products to clean up the worm in order to bring the PC to its original state. While signing off with best regards, the e-mail poses to come from a customer service.

Being rather simple, the second version of the message says that as mail transaction has failed only partial message is viewable.

The file in the e-mail has a randomly chosen name - "body.zip", "readme.zip", "doc.dat.exe", "update-kbnnnn-xnn.exe(n=digit)", "update-kbnnnn-xnn.zip", and "test.elm.exe". The file loaded with Spamta.CY Worm when executed infects the computer. Signs are that it opens Notepad in Windows and displays some non-sequential set of characters of the notepad. In addition, it searches e-mail ids present on the computer to which it sends its replicas through its own SMTP.

Panda Labs has recommended users to update their anti-virus software. It has also released technical details and instructions for removing the worm on its website.

Related article: Spamta Variants- Still Causing Headaches

» SPAMfighter News - 10/4/2006