Love, Mass-Mailers in the Air

Community

Email Notifications

Write-Ups

Security Blogs

Miscellaneous Blogs

Security Sites

Security Manifest

Benjamin Johnstone-Anderson, Microsoft MVP - Windows Security

Few, if any, major holidays pass without a new virus to go along with them. Typically, these worms are not significantly more successful than non-themed worms. There are a few exceptions: Navidad for Christmas 2000 and Ska (Happy99) for New Years 1999 and, of course, the infamous Loveletter, which coincided with Valentine's Day 2000.

Now, gathering up bits from around the wire, we find news of a new Valentine's Day worm, a variant of the Kipis family. Per Symantec, which refers to the worm as Kipis.J:

W32.Kipis.J@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses that it finds on an infected computer. It also attempts to spread through file-sharing networks.

Of course, love sells, but sex sells better - Kipis.J sends itself either with a cheery Valentine's Day message (i.e. “Happy Valentine's Day,” “Present,” or “for my love...”) or a suggestion of pornography within (”Re: My porno”). There are also a number of simply generic subjects (such as “here,” “hi,” and “your”.) The attachments are a mix of suggestive and romantic messages, ending with either .exe, .scr, or .zip.

Kipis.J is a fairly complex worm. It adds obviously pornographic files into P2P programs' Shared Files folders, seek email addresses from a range of files, and avoid sending itself to emails that could be those of antivirus companies or spam trappers. Interestingly, it does not appear to disable antivirus programs.

Fortunately, it does not appear that Kipis.J is spreading significantly in the field at this time. I will watch it for future developments, but the good news is so far it is looking like Valentine's Day will be relatively calm.

Sophos also mentions another worm, VBS/VBSWG.D, as being a threat. From PC Pro in the United Kingdom:

According to UK security company Sophos, Kipis-H and VBSWG-D are already running amok, playing on hopes that inboxes will be filled with impassioned admissions of desire, come next Monday.

This is not the VBSWG.D that other antivirus companies isolated back in 2001 (more commonly known as “Independance Day”) but rather a new VBScript mass-mailer discovered recently. Sophos has information about it here. The worm comes in an email with the subject “First Love Story ...!!!” with FirstLove.VBS attached. The message body reads two lines: “Hi,” and “Check the attachment”.

As with Kipis.J, it appears that VBSWG.D is not spreading significantly and may simply be mentioned because it was a Valentine's Day related worm, even if it is not actually being found in the field.

Having a safe Valentine's Day and be careful out there. :)

Posted: Feb 10 2005, 03:19 PM by trafton | with 1 comment(s)

Filed under: VIRUSES, SECURITY

Questions? Contact Susan at Susan-at-msmvps.com. Each post's copyright held by the original author. All rights reserved. Blog site is an independent site not sponsored by Microsoft.
Our servers would like to thank www.ownwebnow.com and www.exchangedefender.com. We wouldn't be here without the generosity of Vlad Mazek and his companies.

Powered by Community Server (Commercial Edition), by Telligent Systems

Theme based on the Paperclip Blog Theme included in Community Server.
Enhanced to a Site-Wide Theme by Interscape Technologies.

Recent Posts

Tags