‘Happy New Year!’ Worm Defeats Signature-Based AV Programs

The rapidly propagating 'Happy New Year!' worm is advancing past the prevailing signature-based anti-virus programs, alerts security firm, Commtouch Software Ltd.

The progressive malware attack of the 'Happy New Year!' virus has been the most intensive surge during 2006. It consists of a large number of exclusive low-level variants, which were generated from a variety of simultaneous services and within short time intervals.

This sudden blast in 2006 could be seen as a blatant forewarning of the kind of viral attacks in 2007, said Commtouch Vice President of Products, Haggai Carmon. During 2006 the polymorphic outbreaks of the massive server-side nature grasped the Internet in growing numbers and successfully held a prominent lead over several hours to weeks of constant evasion of traditional anti-virus solutions.

Some of these outbreaks included 'Stration/ Warezov', 'Feebs' and certainly 'Happy New Year!' malicious codes. Carmon continues, these are so unique because they arrive in numerous, exclusive and short-termed variants, making it almost impossible to develop one signature or heuristic rule to successfully guard against them. As a result, malware writers have a fair chance of attacking the most number of PCs.

Kaspersky Lab has dubbed the worm "Tibs", while Trend Micro calls it "Nuwar" and Symantec names it "Mixor.q". It appears as an attachment by the name "postcard.exe" along e-mail messages having subject heading as 'Happy New Year'. Users who open the file will download keyloggers, rootkit and other malicious code on their computers.

During the first 65 hours of circulation of 'Happy New Year!' worm Commtouch detected and stopped 3,262 variants. On Friday December 29, 2006 the company traced 842 variants that were thrown into the Net within just five minutes. The firm reported that these worm-infected messages comprised of 12% of all e-mails distributed on Friday. Rival firm F-Secure meanwhile accounted it as 16.9% of all malicious e-mails.

Summarizing his observations Carmon said this trend might continue to increase in 2007 since server-side polymorphic attacks have been most successful to penetrate existing defenses. While during New Year holidays virus writers will concentrate on short period attacks, the Stration Warezov attack will stretch for months.

Related article: “Loopholes did not cause online banking thefts”: ICBC

» SPAMfighter News - 1/6/2007