True Love Never Dies

By Matthew Hines  |  Posted 2009-08-11 Print this article Print

True love never fades, it only hides for a short time to return again even stronger. At least that's what the romance experts seem to believe.

Unfortunately the same can be said of some long-in-the-tooth malware propagation techniques.

It's been like a trip down memory lane of late as malware distributors and spammers have been revisiting some of their most time-honored themes, both in terms of the infection and social engineering tactics that they've been employing to deliver their wares.

From Nigerian schemes to image spam, it's been a season of throwbacks lately as online scamsters re-enlist some of their oldest techniques to get their content onto end users' computers.

Now, researchers at Sophos are tracking the emergence of another new threat built along traditional lines as they've observed the emergence of a malware attack attempting to tap into the never out-of-style topic of "true love."

It was nearly a decade ago when the infamous "I love you" virus began making the rounds and infecting millions of endpoints worldwide.

And while the newer romance-themed threat bears little resemblance to its famous forbearer in terms of technical makeup, other than being a Trojan attack and incorporating the name of love in trying to dupe people into opening it, the latest campaign appears to be finding its way into the hearts of a number of machines, proving that people just can't seem to get enough love, the AV company said.

Dubbed by Sophos as W32/AutoRun-AOG, the attack is a Trojan worm that attempts to spread to network shared drives using the name "True_Love.exe." Once onboard, the worm then tries to copy itself to removable shared drives as "MsRun32.exe" and creates the file "AUTORUN.INF" on the removable drives, Sophos experts reported in a blog post.

The AUTORUN.INF file automatically runs the worm whenever an affected drive is connected to an uninfected computer. The attack also sends itself to users' contacts on Yahoo Messenger by forwarding an attached URL link. Other versions of the attack seen in the wild also use joke-themed file names and social engineering to trick users into taking the bait.

A few laughs, a little true love, who wouldn't be tempted to see what it's all about, right?

Attackers keep on using the same methods to game us, and as we all know, matters of the heart are simply hard to overcome.

But as long as we remain so predictably gullible, why would attackers ever truly change their spots?

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel