New E-holiday Card Virus Emerges

A new worm has surfaced that could be much worse than the notorious Storm worm, which ruled the botnet world for nearly two years.

Like the Storm worm, the latest worm, which anti-virus vendor ESET calls W32/Waledac, consists of an e-mail telling recipients they have received an e-holiday card and asking them to click on a link pointing to a file named ecard.exe to read it.

When they do, the link downloads a backdoor that connects to another Web site and downloads information off their PCs, Pierre-Marc Bureau, a researcher at ESET, told InternetNews.com.

But W32/Waledac's capabilities go way beyond those of the Storm worm, which took over up to 50 million PCs, according to security experts. Bureau said it uses the OpenSSL open source library and can download and verify cryptographic certificates and communicate with Web servers using the Secure Sockets Layer (SSL) (define).

"That will let it communicate with the server and send and receive encrypted mail," Bureau said. This will make it harder for intrusion detection systems on the network to detect it. Users will have to put intrusion detection systems on their workstations, Bureau said.

Unlike the Storm worm, which used C and assembly languages, W32/Waledac uses high-level C++ with standard string libraries compiled with Microsoft (NASDAQ: MSFT) Visual Studio. "It's higher-level than the Storm worm," Bureau said.

Like the Storm worm, Waledac uses fast flux DNS (define), a technology that brings up a new server if the current one is blacklisted by ISPs (Internet service providers) for spamming.

However, W32/Waledac only uses four domain names, and that makes it easy to block out, Bureau said. "The network administrator in an enterprise network just has to block those four names from their DNS servers," he explained.

W32/Waledac first hit the Web in March, and has only just resurfaced, according to Bureau.

This article was first published on InternetNews.com. To read the full article, click here.