Hackers are taking advantage of Valentine’s Day and the vulnerabilities that people have when they see an email related to Valentine’s Day. The Nurech.B arrives in emails with subject lines such as: “Happy Valentine’s Day,” “Valentines Day Dance,” “The Valentines Angel.” The email sender is always a woman’s name such as Sandra, Willa, Wendy, or Vicky.
The email attachment simulates an e-greeting card using file names like “Greeting Postcard.exe,” “Greeting card.exe,” or “Postcard.exe.” When users click on the attachment, it creates a copy of the worm on the hard drive, and then conceals its presence using rootkit-like functions. The worm also disables certain antivirus, antispyware, and security applications installed on the system.
Panda Labs has detected the new Nurech.B worm, which, like its predecessor Nurech.A, arrives disguised as a Valentine’s Day message. Nurech.A — launched last week using similar methods — continues to spread, maintaining an “orange” alert level according to Panda Labs.
According to Mr. Luis Corrons, Technical Director of PandaLabs, “The objective of course is to trick users into opening the attachment using enticing subject lines related to the romantic holiday. This type of trick is usually quite successful, so we strongly advise users never to open any attachment that they have not requested, regardless of what it seems to contain.”
One massive attempt to infect everybody was not enough for these hackers. Mr. Corrons warns, “Last week they launched Nurech.A, which quickly reached orange alert levels. Now they are giving it a second try on Valentine’s Day itself. Do not open any Valentine’s Day or other e-card attachment without scanning it first using fully up-to-date antivirus software.”
Both waves of attack were automatically detected and blocked by Panda’s TruPrevent Technologies. All though neither of the two latest threats existed previously in malware signature files, TruPrevent was able to block them both based on real-time analysis of the behavior and intent of the malicious code contained in the attachments. All PCs with TruPrevent installed were therefore unaffected by the attack.
Computer users wanting to know whether their computers have been attacked by Nurech.A, Nurech.B, or any other form of malicious code can use Panda’s ActiveScan, a free service available at: www.pandasoftware.com/activescan. ActiveScan will perform a complete inspection, free of charge.