December 3, 2008 2:07 PM PST

Worm uses familiar brands to lure people

by Robert Vamosi
  • Font size
  • Print
  • 14 comments

Ho-ho-ho. This isn't an offer for a real coupon book from McDonald's. It's a new mass-mailing e-mail worm.

(Credit: Websense)

On Tuesday security vendor WebSense issued an alert warning that holiday coupon e-mails from familiar companies may be malicious code in disguise, in this case a mass-mailing e-mail worm.

The warning cites one spoofed McDonald's e-mail that claims to present their latest discount menu, and asks the recipient to print out the attached coupon. A similar mailing pretending to be from Coca-Cola asks recipients to print out details about their new online game, and also offers recipients a chance to win Coca-Cola drinks for life. Websense says the attached zip file contains files named either coupon.exe or promotion.exe, both of which contain dropper files for remote access Trojan horses.

Previously, Websense issued an alert for a holiday-themed animated postcard.

This cute holiday card could install a worm on your PC, says McAfee.

(Credit: McAfee)

On Wednesday, McAfee identified a third holiday-themed e-mail using the Hallmark brand. McAfee has named the malware used as W32/Xirtem@MM and says this particular worm carries a built-in SMTP engine that mass-mails copies of itself to e-mail addresses harvested from an infected machine.

In all cases the e-mail appears to be legitimate, using images taken from the McDonald's, Coca-Cola, and Hallmark sites.

To avoid compromise, antivirus experts recommend not opening e-mail attachments as well as keeping your desktop's antivirus protection up-to-date.

As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments.
Topics:

News,

Vulnerabilities & attacks

Tags:

security,

worm,

trojan horse,

McDonalds,

McAfee,

Hallmark,

Coke,

Coke-Cola,

malware,

social engineering,

holiday-themed,

mass-mailing

Share:
Digg
Del.icio.us
Reddit
Recent posts from Security
So, is it safe to tweet now?
Twitter hijacked by 'Iranian Cyber Army'
Firefox, Adobe top buggiest-software list
Predator drones hacked in Iraq operations
Adobe to patch zero-day Reader, Acrobat hole
Firefox 3.5.6 patches critical security holes
Facebook sues men for allegedly phishing, spamming
Scammers exploit Google Doodle to spread malware
Related
Coca-Cola launches face-matching Facebook app
Coke eyes climate-friendlier vending machines
Adobe to patch zero-day Reader, Acrobat hole
McAfee uncovers riskiest domains
Seven sweet gift ideas
Five iPhone games to get you in the holiday spirit
Scammers exploit Google Doodle to spread malware
Another iPhone worm, but this one is serious
Add a Comment (Log in or register) (14 Comments)
  • prev
  • 1
  • next
by  Brian December 3, 2008 3:30 PM PST
Good thing those Windows .exe files don't work on a Mac!

Life is good. :)
Reply to this comment
by _sandman_ December 6, 2008 2:36 PM PST
They also dont work on Linux :)

If you run a virus in WINE, nothing really happens...
by Perry_Clease December 3, 2008 3:39 PM PST
Today I received an email that supposedly came from the US Post Office. It said:

"Unfortunaly we couldn?t carry you the postal parcel sent on 28, October at the right time
as there is an incorrect recipient?s address.

To take your package back you should print the copy of invoice that is in the added file

Your UPS"


Of course I was suspicious from the get go and deleted the message, but with this being the season for mailing packages there may be people who will fall for it. Let see, UPS is either my backup battery or United Parcel Service and not the abbreviation for the USPS
Reply to this comment
by 42istheanswer December 3, 2008 3:45 PM PST
why? Why does this stuff continue to work? Every windows users should pack up their PC and ship it back to the vendor.
Reply to this comment
by superswiss December 3, 2008 4:23 PM PST
Because the user is effectively the weakest part on a computer. Look what happened to malware. Windows has become harder and harder to penetrate and fixes for newly discovered vulnerabilities are quickly released. Malware has moved away from OS malware to social malware. There's no patch to fix the stupidity of the user. Be careful what you wish for. If Windows users start ditching their PCs and go buy a Mac, these emails will start having OS X executables attached. The average Mac user is not any smarter than the average Windows user.
by theused22 December 3, 2008 6:01 PM PST
Just dont be stupid.. everyone I know hasn't ever gotten a virus becasue of being smart and not looking at bad porn sites, maybe you should try this when using windows too.
by chedrz December 3, 2008 6:05 PM PST
I got a great one yesterday from PayPaI. You can't tell, but that "l" is an "i". They told me someone had tried to get into my account and that it had been frozen until I logged back in properly and provided more credentials. The link to the website led to an Italian domain. Last time I checked, PAYPAL was based in America...hmm...
Reply to this comment
by Perry_Clease December 3, 2008 8:17 PM PST
"I got a great one yesterday from PayPaI. You can't tell, but that "l" is an "i"... The link to the website led to an Italian domain."

That would be for pay pai as in paisan :)
by bruceslog December 6, 2008 6:41 AM PST
Yeah, I got that one too... didn't open it.. sent the headers and message source to the Real Paypal spoof department.
by sbaxter December 3, 2008 10:21 PM PST
Thanks for the headsup!
Reply to this comment
by therad456 December 4, 2008 4:24 AM PST
Thanks a lot for the warning.
Reply to this comment
by starbuddy1995 December 5, 2008 1:09 PM PST
this is interesting and thanks Cnet and those who helped to deliver this heads up
Reply to this comment
by jtoylady December 6, 2008 11:46 AM PST
I have gotten more than one of these,I sent them all to the real paypal.
you can usually tell when it is a fraudulent site ,just look carefully at the spelling ,the way it is worded and the content.there is always something that will give it away!
Reply to this comment
by chonkers December 6, 2008 3:41 PM PST
eBay is another biggie to watch for....I received one claiming that i have an outstanding product i have not paid for and eBay will be closing me down...just check into your paypal account and all will be cool......

yup, ok....i never even ordered a diamond necklace.....that was the giveaway and i have not bought anything through eBay....although i do use paypal on occassion

i gotta tell ya tho....it nearly had me....i really thought for a while i had bought this....be careful out there dudes
Reply to this comment
(14 Comments)
  • prev
  • 1
  • next
advertisement

Behind the scenes: NORAD's Santa tracker

For decades, the defense group has let you follow the Christmas Eve travels of the jolly old elf. These days, technology is playing a bigger role than ever.

Intel redesigns Atom chip for Netbooks

The chipmaker officially announces the next generation of its popular Atom CPUs for Netbooks, the N450, weeks before the CES trade show.

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

advertisement
Click Here
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
CES 2010
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET