New Worm Disguises Itself as Microsoft Patch

Security analysts are warning users to be wary of a new worm that disguises itself as a Microsoft security patch. The new threat hits just as damage from Bagle, Netsky and MyDoom collectively cross the $100 billion mark.


You Can't Detect What You Can't See: Illuminating the Entire Kill Chain

On-Demand Webinar

Security analysts are warning users to be wary of a new worm that disguises itself as a Microsoft security patch for the MyDoom virus.

Roca-A, which also is known as Sober-D in some circles, was released into the wild on Sunday and started hitting Germany and the United Kingdom right out of the gate. In the past 24 hours, it has spread to other countries, including the United States.

The worm arrives in inboxes with the subject line: ''Microsoft Alert: Please Read''. The body message refers to the detection of a new MyDoom variant.

The ZIP file attached to the email carries the Roca-A worm, according to analysts from Sophos, Inc., a Lynnfield, Mass.-based anti-virus and anti-spam company. Once installed, the worm will present a phony message stating that the patch has been installed correctly or that no patch was needed.

The worm also is bilingual.

If Roca-A determines that it is being sent to a German email address, it will present itself in German.

''As the Sober-C worm has shown in recent months, viruses which use more than one language when communicating with users can be more successful at not raising suspicion,'' says Graham Cluley, senior technology consultant for Sophos. ''Companies should ensure their anti-virus software is automatically updated, and screen for dangerous filetypes at their email perimeter.''

This new threat hit the Internet just as a dramatic wave of viruses and variants appears to be winding down. IT managers and the anti-virus community have been plagued over the last few weeks by a barrage of variants from the Bagle, Netsky and MyDoom families. Upwards of 16 variants and new worms hit the Internet in a matter of weeks. As for the Bagle worm alone, seven variants were let loose within a 72-hour period.

The security intelligence firm mi2g, which is based in London, released a report this morning calling last week's barrage of attacks ''historically unprecedented''.

So far, according to mi2g, the combined worldwide economic damage from Bagle, Netsky and MyDoom has crossed $100 billion. The company lists Sobig, MyDoom and Netsky as the most damaging malware in history.

The onslaught might have slowed slightly, but it certainly hasn't stopped.

In the last few days, Roca-A was joined by several other viruses, including the K and J variants of Netsky and the K variant of Bagle.

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.



IT Management Daily
Don't miss an article. Subscribe to our newsletter below.

By submitting your information, you agree that datamation.com may send you Datamation offers via email, phone and text message, as well as email offers about other products and services that Datamation believes may be of interest to you. Datamation will process your information in accordance with the Quinstreet Privacy Policy.