This just came out, Mass Email Worm Outbreak: W32.Imsolk.B@mm . Detailed information obtained from Symantec include:
Symantec Security Response has observed a global mass mailer worm spreading and affecting hundreds of thousands of computers worldwide. This appears to be a new attack – likely originating from a botnet – however, it is similar to the classic old school mass-mailing viruses like Nimda, Melissa and the Anna Kournikova virus from 2001.
The new, malicious computer worm spreads using a socially engineered email attack. The threat arrives in the form of a standard email that directs the recipient to click on a link embedded in the email. This link points to a malicious program file that is disguised as a PDF file, hosted on the internet. When the user clicks on this link, their computer downloads and launches the malicious file.
Symantec customers are protected from W32.Imsolk.B@mm both today and in the future using updates, as well as the products and services outlined below.
How do I protect my organization against W32.Imsolk.B@mm worm threat?
- Customers with Symantec Antivirus (SAV) or Symantec Endpoint Protection (SEP) are protected
- Rapid Release signature of Sept. 9th rev 023 or later detects and blocks this threat.
- This signature set will stop all new infections.
- A fully certified regular definition set (dated Sept. 9th) known as rev 024 provides these protections.
- Symantec Security Response has created a Symantec Endpoint Protection Application and Device policy to prevent infections / execution of the threat and any side effects caused by the threat. The policy can be found here.
What does the threat do?
The worm uses e-mail for its initial propagation (an e-mail purporting to include a link to a requested document). The e-mail looks like the following:
Hello:
This is The Document I told you about, you can find it Here. <link to .SCR file>
Please check it and reply as soon as possible.
Cheers,
<name>
Once the link is followed, it downloads the W32.Imsolk.B@mm threat, which infects the computer. Once inside, it can spread rapidly via shared drives and removable drives. It also attempts to spread via e-mail by gathering e-mail addresses from the compromised computer.
The main characteristics of the worm’s functionality are as follows:
- Primary mode of infection: email recipient clicks on link
- Infection spreads through
- Email send to contacts from address book of victims
- Mapped drives via autorun
- Instant messenger transmissions
- Disables various security related programs, but not Norton or Symantec products
Best Practices
Symantec is encouraging computer users to use the following security best practices:
- If you are currently suffering infection, your best protection is to obtain the latest signature updates for Symantec Antivirus or Symantec Endpoint Protection
- If your systems cannot get access to the latest updates:
- Disable network sharing for the infected systems and/or disconnect them from the local network and Internet.
- Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives and disconnect the drives when not in required.
- Apply the updates. Remove the infection and restore the host to the network.
Technical Support already has the following knowledge base articles on the topic:
- How to prevent a virus from spreading using the "AutoRun" feature
- Preventing viruses using "autorun.inf" from spreading with "Application and Device Control" policies in Symantec Endpoint Protection (SEP) 11.x This includes specific instructions on how to use the policy feature of SEP to disable autorun.inf files.
- Keep antivirus definitions up-to-date.
- Avoid clicking on links and/or attachments in email messages.
- Configure mail servers to block or remove email that contains .SCR file attachments.
Symantec products that can strengthen your organization’s security
Mail Security for Microsoft Exchange
- Outbreak detection: Identify that an active outbreak is occurring because of the volume of traffic generated by the same “Here you Have” email
- Internal mail filtering: Block all internal traffic of the “Here you Have” email using Content Filtering
- Mail store / inbox cleanup: Seek out and eliminate the “Here you Have” email from Mail Stores and end user inboxes
More Information Purchase Today
Brightmail Gateway Small Business Edition
- Multiple layers of defense: Has over 20 different antispam technologies that can block new threats as they emerge.
- Updated rules: Brightmail Gateway updated both antispam rules and antivirus rules to block this attack immediately after it was detected on Sept. 9th. Symantec deployed a combination of predicative and aggressive rules to ensure complete protection.
- Global Intelligence Network: Protection includes a 24×7 team of analysts and technicians as well as real-time feeds from the Symantec Global Intelligence Network. Brightmail Gateway automatically downloads updated rules as frequently as every second to respond to new threats.
Source: http://www.symantec.com/outbreak/index.jsp?id=w32imsolkbamm
Recent Comments