Wallon Worm Skirts Around Windows Patch Release

UPDATED: A new worm, dubbed Wallon.A, arrives on the Internet, requiring a convoluted infection process. Skipping from page to page, the worm arrives on the host following a call to Windows Media Player.

The latest exploit of Windows and Internet Explorer found its way into e-mail boxes in Europe on Wednesday with the arrival of the Wallon.A worm. According to security services, the new worm is considered a midrange threat and is continuing to spread in the wild.

Wallon.A, reported by several security services such as F-Secure Corp. and Network Associates Inc.s McAfee business unit, takes advantage of a known vulnerability in Windows.

In fact, its rather convoluted action was covered under the security advisory MS04-013, released in April.

Wallons infection process is complicated. Unlike the ordinary e-mail worm that arrives in an attachment to a message, Wallon appears as a link in a message to a Yahoo page. But with redirection, the Yahoo connection leads to another page that delivers an encrypted link to yet another page that delivers a special downloader application.

Microsoft provided a security patch for this vulnerability in April and suggested its application for all currently supported Windows versions. The company describes the update as "critical" and recommends it for all Windows variants, starting with Windows 98, even for systems where Outlook Express is not the default e-mail reader.

The downloader app is activated by a call to the Windows Media Player, so when the user enters a media-rich site or views some streaming content, the actual worm is finally downloaded. It then proceeds to perform a series of actions to propagate itself, the services report.

/zimages/3/28571.gifFor insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

Microsofts latest patch release addresses a similarly convoluted social engineering mechanism with advisory MS04-015, titled "Vulnerability in Help and Support Center Could Allow Remote Code Execution." In this case, users are directed to a malicious Web page where they click on a link and follow directions. The actual attack occurs only after they perform the actions.

Editors Note: This story was updated to correct the related bulletin information.

/zimages/3/28571.gifCheck out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis. Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: /zimages/3/19420.gif http://us.i1.yimg.com/us.yimg.com/i/us/my/addtomyyahoo2.gif