ZDNet: 'Second Christmas card virus Ataks users' - Atak.H
'Tis the season when the Christmas lights go up and the virus writers go into high gear trying to ride the latest wave of viral festivity with a theme-related worm or two. Zafi.D appeared on Tuesday and spread quickly with its provocative email message and Christmas cheer (and subsequent misery for those who managed to open it), and now ZDNet has highlighted yet another worm, Atak.H (.I to other vendors), that could make the egg nog taste a tad sour this year.
The ZDNet article is not very specific or technically in-depth, but provides some interesting information. The article states that F-Secure characterized the reports as “rolling in,” which is not a great measure of how fast a worm is spreading, but from what I have heard from various sources, any rolling in that is being done is being done quite slowly - this worm has not made much of a splash yet.
F-Secure's Mikko Hypponen offers a simple, but relevant suggestion for emailing Christmas cards on the Internet - don't do it:
“There are different levels of risk with these email Christmas cards,” said Mikko Hypponen, director of antivirus research for F-Secure. “It's very similar to past ones we've seen. There's little risk in sending Christmas cards, but there is in opening them. We recommend people to send old-school Christmas cards because there's no security risk in that.”
It's not common to see a recommendation like this, but I have to concur, at least to an extent: it is just a bad idea to send Christmas cards with attachments, and with many online card senders making at least some of their money through mailing lists, it might be easier (and more personal) to splurge on postage and drop a snail mail, at least to family and friends. Otherwise, I would recommend that everyone closely examines the privacy policy of any web site that they are entering their email into, especially if they are also entering the email of others who may not appreciate the spam (I would hope this would be pretty much everyone).
On a technical and social engineering level, Atak.I is a fairly uninteresting prospect. It harvests email addresses from files on the hard drive, and emails with one of two subject lines and one of two message bodies. The subject lines are “Merry X-Mas!” and “Happy New Year!” The body texts are “Happy New year and wish you good luck on next year! [sic]” and “Merry Christmas! Happy New Year! 2005 will be the beginning!” The attachment consists of combining two extensions to make a file name of the following extensions: .pif, .com, .bat, or .scr. This results in file names like pif.scr, com.bat, and scr.scr. The worm will sometimes send with a .zip extension. The message body will be formatted to include large, red text, like this image (courtesy of F-Secure):
http://www.f-secure.com/virus-info/v-pics/atak_h_email.gif
Atak.H is not very destructive and does nothing but spread, which it has not done significantly. A good measure of the outbreak potential of a new worm variant is how well previous versions of the same worm have done. McAfee notes 9 versions of the Atak worm, five of which were interesting enough to warrant write-ups. Of these, three have received media attention and a Low-Profiled risk, but none have received a Medium risk. The WildList, interim edition December 1st, indicates that Atak.A and Atak.B have both spread a small amount.
At this point, it is fairly safe to say that Atak.H/I will not become a major outbreak incident, but may very well be out there. So keep safe during the holiday season, and use common sense when dealing with any email - even if it's a Christmas card from your aunt.