, Symantec Security Response 2009-02-28
W32.Ackantta.B@mm is a mass-mailing worm that gathers email addresses from a compromised computer and spreads by copying itself to removable drives and shared folders. Trojan.Vundo is typically installed by visiting a Web site link that is contained in a spam email. However, we've observed that W32.Ackantta.B@mm actually emails a zipped file containing a copy of a Trojan.Vundo dll.
The worm may arrive on the computer as postcard.pdf.exe, with a snowman icon:
Once the worm is executed, it may display an image of cartoon animals such as the following image:
Yet again, attackers are taking advantage of the global economic environment by using social engineering to entice users to open malicious email attachments. Some of the observed subjects include the following:
Job offer from Coca Cola!
Thank you for your application
The attackers have also attempted to appeal to the desire for friendship by using the time-tested technique of malicious e-card subjects, such as the following:
You have got a new E-Card from your friend!
You have received A Hallmark E-Card!
In particular, we've observed the attachments listed below. We expect thatas is common with social engineering techniquesthese attachments could change:
copy of your CV.zip
As a result of this increased activity, we've released more aggressive heuristics that detect and block hundreds of Trojan.Vundo variants. We have also increased the Risk Level of Trojan.Vundo from Level 1 to Level 2.
Based on our submission data, it appears that the worst of this attack is behind us, as detection levels appear to be decreasing. We plan to keep a vigilant eye on the current activities and any new developments. Stay tuned.
Note: My thanks to Angela Thigpen for her assistance with the research on this threat and information provided in this article.