'Happy New Year' Worm Gains Ground

Israeli security company Commtouch reported that at times, Tibs-infected messages made up nearly 12% of all e-mail sent worldwide.

January 2, 2007

2 Min Read
Network Computing logo

The "Happy New Year" worm-carrying spam that first appeared last week accounted for 12% of all e-mail traffic over the weekend and continues to spread, antivirus vendors said Tuesday.

The worm, dubbed "Tibs" by Kaspersky Lab but also known as a "Nuwar" variant (Trend Micro) and "Mixor.q" (Symantec), appears as a file attachment named "postcard.exe" in messages with "Happy New Year" subject headings. Users who launch the executable will infect their PCs with rootkits, keyloggers, and other malware.

Israeli security company Commtouch reported that at times on Friday, Dec. 29, Tibs-infected messages made up nearly 12% of all e-mail sent worldwide. Rival F-Secure, meanwhile, said its data pegged the worm as accounting for 16.9% of all malicious messages, easily outdistancing long-running champs such as MyDoom and Mytob.

"This outbreak ushered out 2006 with a bang," said Haggai Carmon, Commtouch VP of products, in a statement Tuesday. "During 2006, a growing number of massive server-side polymorphic outbreaks swarmed the Internet and successfully maintained a sizable lead of several hours to weeks ahead of traditional signature-based solutions.

"What makes them so unique is that they are released in a large number of distinct and short-lived variants, making it impossible to generate one signature or heuristic rule to effectively protect against them [so] malware writers maximize their chances of infecting the largest number of machines," Carmon said.Commtouch claimed it identified nearly 850 different variations of the worm in just five minutes last week.

Symantec, meanwhile, agreed that spammed malicious mail volume had spiked, but downplayed the threat. "Despite the volume of e-mail messages being distributed by the worm, actual infection numbers are currently quite low," the company said in a warning to customers of its DeepSight threat alert system.

Symantec recommended that users update their antivirus definitions; enterprises should filter executable (.exe) files at the gateway.

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights