Christmas Virus Spreading on Net

A new Christmas-themed virus began spreading Wednesday morning on the Internet and is likely to catch many PC users unaware, security experts said.

The new mass-mailing worm is variously known as W32.Reeezack and W32.Zacker and is spreading via Microsoft Corp.s Outlook e-mail client as well as the MSN Messenger instant-messaging client, according to an advisory released by Symantec Corp. Once it is resident on an infected machine, the worm changes the Internet Explorer start page to a malicious site that uses an IE exploit to create a VBScript file on the PC.

This script in turn spreads the worm via shared network drives and also deletes anti-virus files and any files in the Windows system directory. Experts say the worm may also be spreading via the IRC chat network.

Reeezack arrives in the users e-mail inbox with a subject line of “Hii.”

The body of the e-mail reads:

“I cant describe my fellings

But all i can say is

Happy New Year :)

Bye.”

The attachment containing the worm is called Christmas.exe.

In addition to its malicious payload, the worm also mails itself to every address in the infected machines Outlook address book and disables some keys on the keyboard.

Anti-virus experts at Computer Associates International Inc. first began hearing reports of the worm early Wednesday morning in Europe, and many of the infections have been in the United Kingdom so far, they say. The combination of the Christmas theme and the destructive payload makes Reeezack a potentially very dangerous worm.

“This is not exactly the type of holiday greeting youre expecting,” said Ian Hameroff, director of anti-virus solutions at CA in Islandia, N.Y.

Home PC users are especially vulnerable to the worm, Hameroff said, as they are more likely to open attachments. Also, home users are far less likely to have backed up all of their data, meaning they could be faced with having to reinstall their operating system if the worm succeeds in deleting all of the files in the Windows system directory.