Valentine’ Day and a patch offering worms

Nurech.B is the second variant of the Nurech family detected over the last few days. Like its predecessor, Nurech.A, this worm has used the days running up to Valentine’s Day to spread in email messages with romantic subjects. Some of these subjects are Happy Valentine’s Day or Valentines Day Dance.

The file containing Nurech.B varies, but it always consists of an executable file disguised as a greetings card. This file has names like Greeting Postcard.exe or Postcard.exe. Although the sender is also variable, it is always a woman’s name.

This worm has rootkit functions, aimed at hiding its processes and making it more difficult to detect. It also creates various copies of itself on the system and disables the functions of various security tools. Bear in mind that the previous variant of this family, Nurech.A, spread so quickly that it led PandaLabs to declare an orange virus alert. It is therefore advisable to be take precautions against this new variant.

The second worm in this week’s report is Atomix.C. When this worm is run, it returns an error message, which could make it easier to identify. To avoid this, this malicious code has developed an ingenious system: after this error message, it displays another that informs users that they have been infected by a virus and advises them to download a free patch against this virus from a certain website. If users accept the download, what they are really installing on their computer is an update of the worm.

In order to spread, this worm inserts links in MSN Messenger’s chat windows, when the messenger is open, leading to its download. It therefore exploits a legitimate conversation, which the recipient will trust, and inserts a link that downloads the malware. To deceive users further, Atomix.C adds messages like “download this postcard’ or “I want to show you something on this link’ to the links.