- The Washington Times - Thursday, December 22, 2005

Beware of e-mails and instant messages offering Merry Christmas wishes: Santa Claus may be delivering malicious software to your computer.

A new Trojan horse program, MerryX.A, is hidden in e-mail messages with the subject “MERRY CHRISTMAS!” and the text line: “Merry Christmas and a Happy New Year!,” according to Panda Software, the information technology security firm that issued the alert Wednesday.

The virus is designed to gather information from the affected system while the user watches an animation of Santa Claus leaving presents under a Christmas tree.

Once run, MerryX.A records information about the computer, including its Internet Protocol address and hardware data, and sends it to a remote server. It also tries to download files from several Web pages, meaning the Trojan could serve as an entry point for other “malware,” which is any software or application that can damage IT systems.

The new virus was not among Panda Software’s top five malware threats in North America yesterday, said Patrick Hinojosa, chief technology officer at the Glendale, Calif., company. He said an accurate infection rate was difficult to assess so soon after its discovery.

The MerryX.A warning came one day after a similar one about a worm that attempts to get America Online, Microsoft MSN and Yahoo instant-messaging users to open a file that supposedly will take them to a harmless Santa Claus Web site.

But the IM, which appears to come from a trusted acquaintance, is really the IM.GiftCom.All worm that installs a “rootkit” on the recipient’s computer, according IMlogic, a commercial instant-messaging firm in Waltham, Mass.

A rootkit is a program that runs underneath the computer’s operating system and can access anything on the machine invisibly, said Art Gilliland, vice president of products at IMlogic.

When the recipient clicks on a link, the rootkit is executed and attempts to shut down desktop anti-virus software. It also starts collecting the infected user’s information for broadcast over the Internet.

Infected users then may spread the worm by broadcasting the Web site address to people on their buddy list, Mr. Gilliland said.

Among IMlogic’s 1 million customers, about 1,000 were infected as of yesterday, he said, adding that a similar percentage of all AOL, MSN and Yahoo IM users would total about 200,000.

Targeted attacks around holidays or other major events, even something such as Hurricane Katrina, are not unusual, said Joe Wilcox, senior analyst at JupiterResearch.

Companies like Panda, IMlogic and others have large user networks and often get tipped off early about unusual or malicious activity, Mr. Wilcox said. He added that some companies offer bounties to the first people who identify a new virus.

And while MerryX.A and IM.GiftCom.All were the first Christmas-related scams this year, they are just the latest examples in a three-year trend.

A worm released last Christmas tried to pass itself off as a Christmas card in several languages, and a 2003 worm used a Santa Claus postcard, according to Panda Software.

“If you didn’t ask for the attachment, don’t open it,” Mr. Hinojosa said.

Mr. Gilliland said IM users should attempt to verify the person at the other end intended to send a link or attachment.



Click to Read More

Click to Hide