eScan security experts have warned against opening emails or their attachments with subject lines such as "You have received A Hallmark E-Card!", "Your friend invited you to twitter!", "Thank you from Google!", "Jessica would like to be your friend on hi5!" and "Shipping update for your Amazon.com order 254-71546325-658732". These e-mails also carry zipped attachments which have been found to contain new variants of the malware in the wild.
The "You have received A Hallmark E-Card!", spam mail comes with postcard.zip or similarly named attachment. The payload in the zip file contains malware that has the capability to mass mail message(s) with the built-in SMTP client engine to the e-mail addresses harvested from the local computer.
The payload also contains malware with the characteristics of Vundo (aka VirtuMonde/VirtuMundo), a Trojan Horse that cause popups and advertises rogue antispyware programs. Vundo can infect a system when a browser just visits a Web site link contained in a spammed mail. It is known to add itself to the startup registry, create a DLL file in the Windows system32 directory and inject it into system processes winlogon.exe and explorer.exe.
The malware can also send downloads/requests to get other files from Internet and spread quickly by itself in a network.
Another e-mail doing the rounds is taking advantage of the popularity of the social networking sites such as Twitter and Hi5 to spread itself. These spam e-mails carry a deadly payload of a variant of the Buzus worm that is network aware bot creating Trojan. On infection, it creates a startup registry entry and modifies the host files to prevent access to security websites. It can also send spam mail to the e-mail addresses harvested from the local infected system and try to spread itself.
The malware spreading spam also had subject lines such as "Thank you from Google!" and "Shipping update for your Amazon.com order 254-71546325-658732" and were found to be with attachments that had typical names such as Invitation Card.zip or Postcard.zip or Shipping documents.zip or CV-20100120-112.zip.
Unsuspecting users who open the files are infected immediately and the malware then tries to infect other systems in the network by sending malicious mails to addresses harvested from local address books on the infected computers.
Govind Rammurthy, CEO and MD of eScan, notes: "It is still surprising to see users opening suspicious e-mails and clicking on attachments or links without verifying the authenticity of the e-mail. These variants have become more malicious than the earlier variants. They are network aware and pose a great danger to corporate networks as a single infection can lead to a network outbreak within an hour.
"To avoid such catastrophic scenarios, one should always use reputed and genuine security software and should also have the latest security updates installed in their system."