New worm targets online Xmas shoppers

23 Nov 2009

A new malicious worm is making its presence felt strongly in Ireland and appears to be taking advantage of seasonal goodwill to get into systems.

The worm, known as the Merond worm, spreads via fake emails that seem legitimate with subject lines like: “Shipping update for your Amazon.com order”, “Your friend invited you to Twitter!”, “Your friend has sent you an ICQ Greeting Card!”, “You have received A Hallmark E-Card!” and “Jessica would like to be your friend on hi5!”

The worm uses social engineering to encourage activation by coming from a perceived “trusted source” such as order-update@amazon.com or invitations@twitter.com.

What to do

Cyber security firm ESET.IE advises users to observe emails closely and if suspicious, mark them as spam and delete them.

The emails all come with an attachment containing the Merond worm, which has been around for nearly a year now, but it’s making its presence felt in Ireland more strongly recently. The email attachment, a file or a zipped file that appears to be a pdf, htm or some other file, is actually an exe file, which, if clicked on, executes its malicious content.

Once active, the worm copies its executable file to the Windows system directory and adds a link to its executable file to the system registry so it is launched automatically each time the system is booted.

In addition to that, the Merond worm adds its executable file to the Windows firewall list of trusted applications, harvests email addresses from users’ computers and sends itself to all of them and copies itself to removable media, such as USB keys, to be further propagated by the Autorun method of infecting computers.

Computer users are reminded to regularly update their antivirus software so it can best detect infiltrations.

By John Kennedy

Photo: The Merond worm spreads via fake emails.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com