On Thursday, September 9th, 2010, Symantec began actively tracking a new, malicious computer worm that spreads using an e-mail attack. The threat arrives via e-mail asking the recipient to click on a link embedded in the e-mail. This link points to a malicious program file disguised as a PDF file. When the user clicks on this link, their computer instantly downloads and launches the malicious file. This process installs the worm onto the victim’s computer without the user knowing!
For more information on this threat, go to Additional Details.
How can this affect me?
The worm does not successfully attack Norton™/Symantec products, but it disables many other common AntiVirus products. Once running on the computer, the threat attempts to e-mail a copy of the original e-mail to all e-mail addresses found in the infected user’s e-mail address book.
The threat also attempts to spread from computer to computer over the local network (to other machines on your home or office network) by copying itself to open drive shares found on other machines on the network. Once the threat copies itself to another machine, if a user even opens the folder that contains the threat on this new machine, this will launch the threat and cause it to spread further through both e-mail and over shared drives.
How can I protect myself?
We recommend Norton™ Internet Security. If you have an active subscription of a Norton™ security product, you are already protected. To get the latest free update visit the Norton™ Update Center. If you don't have an active Norton™ security product, get protected now
The worm uses e-mail for its initial propagation (an e-mail purporting to include a link to a requested document). Once inside corporations it can spread rapidly via shared drives and removal drives. It also attempts to spread via e-mail by gathering e-mail addresses from the compromised computer.
The e-mail looks like the following:
Once the link is followed, it proceeds to download the actual malicious threat W32.Imsolk.B@mm which infects the compromised machine.
For more information, read our Symantec Security Response blog post.