Mass Email Worm Outbreak: W32.Imsolk.B@mm

This just came out, Mass Email Worm Outbreak: W32.Imsolk.B@mm . Detailed information obtained from Symantec include:

Symantec Security Response has observed a global mass mailer worm spreading and affecting hundreds of thousands of computers worldwide. This appears to be a new attack – likely originating from a botnet – however, it is similar to the classic old school mass-mailing viruses like Nimda, Melissa and the Anna Kournikova virus from 2001.

The new, malicious computer worm spreads using a socially engineered email attack. The threat arrives in the form of a standard email that directs the recipient to click on a link embedded in the email. This link points to a malicious program file that is disguised as a PDF file, hosted on the internet. When the user clicks on this link, their computer downloads and launches the malicious file.
Symantec customers are protected from W32.Imsolk.B@mm both today and in the future using updates, as well as the products and services outlined below.

How do I protect my organization against W32.Imsolk.B@mm worm threat?

  • Customers with Symantec Antivirus (SAV) or Symantec Endpoint Protection (SEP) are protected
    • Rapid Release signature of Sept. 9th rev 023 or later detects and blocks this threat.
    • This signature set will stop all new infections.
    • A fully certified regular definition set (dated Sept. 9th) known as rev 024 provides these protections.
  • Symantec Security Response has created a Symantec Endpoint Protection Application and Device policy to prevent infections / execution of the threat and any side effects caused by the threat. The policy can be found here.

What does the threat do?

The worm uses e-mail for its initial propagation (an e-mail purporting to include a link to a requested document). The e-mail looks like the following:

This is The Document I told you about, you can find it Here. <link to .SCR file>
Please check it and reply as soon as possible.

Once the link is followed, it downloads the W32.Imsolk.B@mm threat, which infects the computer. Once inside, it can spread rapidly via shared drives and removable drives. It also attempts to spread via e-mail by gathering e-mail addresses from the compromised computer.

The main characteristics of the worm’s functionality are as follows:

  • Primary mode of infection: email recipient clicks on link
  • Infection spreads through
    • Email send to contacts from address book of victims
    • Mapped drives via autorun
    • Instant messenger transmissions
  • Disables various security related programs, but not Norton or Symantec products

Best Practices

Symantec is encouraging computer users to use the following security best practices:

  • If you are currently suffering infection, your best protection is to obtain the latest signature updates for Symantec Antivirus or Symantec Endpoint Protection
  • If your systems cannot get access to the latest updates:
    • Disable network sharing for the infected systems and/or disconnect them from the local network and Internet.
    • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives and disconnect the drives when not in required.
    • Apply the updates. Remove the infection and restore the host to the network.

    Technical Support already has the following knowledge base articles on the topic:

  • Keep antivirus definitions up-to-date.
  • Avoid clicking on links and/or attachments in email messages.
  • Configure mail servers to block or remove email that contains .SCR file attachments.

Symantec products that can strengthen your organization’s security

Mail Security for Microsoft Exchange
  • Outbreak detection: Identify that an active outbreak is occurring because of the volume of traffic generated by the same “Here you Have” email
  • Internal mail filtering: Block all internal traffic of the “Here you Have” email using Content Filtering
  • Mail store / inbox cleanup: Seek out and eliminate the “Here you Have” email from Mail Stores and end user inboxes

More Information Purchase Today

Brightmail Gateway Small Business Edition
  • Multiple layers of defense: Has over 20 different antispam technologies that can block new threats as they emerge.
  • Updated rules: Brightmail Gateway updated both antispam rules and antivirus rules to block this attack immediately after it was detected on Sept. 9th. Symantec deployed a combination of predicative and aggressive rules to ensure complete protection.
  • Global Intelligence Network: Protection includes a 24×7 team of analysts and technicians as well as real-time feeds from the Symantec Global Intelligence Network. Brightmail Gateway automatically downloads updated rules as frequently as every second to respond to new threats.


Comments are closed.