December 21, 2001, 4:57 PM — There's a virus writer out there who's given the Internet a last-minute gift, in the form of a new worm, before many businesses close for the Christmas holiday.
The worm, dubbed Shoho or Welyah, spreads via its own e-mail engine, rather than through Microsoft Corp.'s Outlook e-mail client as many worms do, and attempts to delete files, according to antivirus firms Network Associates Inc. and Trend Micro Inc. The worm also exploits the same vulnerability in Microsoft's Internet Explorer browser as the Badtrans worm, which first hit computers earlier this year. This vulnerability allows the worm to execute when an infected e-mail is opened or previewed, rather than when a user double-clicks on an attachment, the companies said.
Even users who have e-mail clients other than Outlook can be affected if they double-click attachments infected with Shoho.
Shoho arrives in in-boxes with a subject line that reads "Welcome to Yahoo! Mail," and a body message of the same text. Also included in the mail is an attachment called Readme.txt. This is actually a .PIF file, however, and 125 spaces are inserted between the .TXT and .PIF extensions, in an attempt to hide the file's true extension from users, Trend Micro said. NAI reports that the Readme.txt is an .EXE file, rather than .PIF.
When the attachment is double-clicked or an e-mail containing the attachment is opened or previewed, the worm sends itself to all addresses found in the Outlook address book, but uses its own SMTP (Simple Mail Transfer Protocol) engine, rather than using Outlook, Trend said. NAI, however, reports that the worm scans the infected PC's hard drive for e-mail addresses, and stores them in a file called EmailInfo.txt before it sends itself to those addresses.
Once the worm has activated, it attempts to add about a half-dozen files to the computer and delete dozens of others, the companies said. The deletion of these files could cause the computer to crash and prevent it from starting up properly afterwards, NAI said. The worm only affects Windows PCs, the companies said.
Though both companies rank to worm as being low risk, its ability to delete files makes the worm worth noting.
The patch to fix the problem in Internet Explorer, which Outlook uses for some functions including previewing messages, can be found at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-027.asp.
Users should check with their antivirus companies for updates to deal with the Shoho worm.