Famus.B Worm That Exploits The Conflict In Iraq To Spread

The email carrying Famus.B tries to trick the user into believing that it contains a file with photographs of events occurring in this country

PandaLabs has detected a new worm called Famus.B, which uses so-called social engineering techniques to spread to users’ computers. Famus.B spreads via email in a message in English and Spanish referring to the conflict in Iraq. To be more specific, it tries to trick users into believing that the file contains photographs of these dramatic events. This message has the following format:

Subject:

Iraq and the crime

Message body:

what is really happening in Iraq?
the pictures of the soldiers and prisoners in Iraq
foward this message.
everybody should know the truth.

Qué est?? sucediendo realmente en Iraq?
Estas son las fotos de los prisioneros y los
soldados en Iraq.
Reenvia este mensaje, todo el mundo debe saber
la verdad.

The attached file, which actually contains the worm’s code, is called Iraq.scr. What’s more, the source code of this file contains the following message from the author of this malicious code:

Esta computadora ha sido infectada
por el virus LIBERTAD.
Como protesta por la violaci??n del
derecho a la libertad de expresi??n en Cuba.
En estos momentos toda la informaci??n de su
disco duro esta siendo borrada
El Hobbit

If the user runs this file, Famus.B displays a false error message on screen with the text: File corrupted or bad format. The worm also sends itself out to all the addresses it finds in the files with a DOC, EML, HTM, and HTT extension on the affected computer. To do this, it uses an SMTP engine that it creates on the affected computer in the form of an OCX library file.

Finally, Famus.B creates an entry in the Windows Registry in order to ensure that it is run whenever the affected computer is started up.

Even though Panda Software’s Tech Support services have not received any reports of incidents involving this worm, as it uses a current issue like the conflict in Iraq, this worm is likely to start causing incidents soon. For this reason, Panda Software advises users to take precautions and update their antivirus software. Panda Software has made the corresponding updates available to its clients to detect and disinfect this new malicious code.

Don't miss