The body of the email pretends to offer links to documents or adult movies. But according to Symantec, "this link actually points to a malicious program file that is disguised as a PDF file, hosted on the Internet." In fact, the PDF is a .scr -- Windows screensaver -- file containing malicious code, and executing it installs a worm on the user's computer.
"Screen saver (.scr) files have long been blocked as attachments, which is why this worm uses links," said Sean Sullivan, a security researcher at F-Secure.
Thursday, the U.S. Computer Readiness Team (US CERT) issued an incident report warning that, "These attacks have the potential to prevent, at a minimum, the efficient operations of U.S. Government email systems."
When the worm infects a system, it first attempts to disable any antivirus programs that are running. Next, it emails everyone in the user's Outlook address book with a copy of the malicious message, and propagates to any open network shares on the local area network. Simply opening the folder containing the malware on the target computer will also cause that PC to become infected.
"The intention of the attack appears to be to steal information," said Graham Cluley, senior technology consultant at Sophos. Indeed, some of the malware components downloaded during the attack extract passwords from other applications on the PC, including browsers and email clients.
"This is something of a return to the malware attacks of yesteryear -- where hackers didn't care whose computers they hit, they just wanted to infect as many as possible," he said.
To mitigate the threat, Symantec recommends disabling network sharing, local network access and Internet access for infected computers as well as blocking all outbound traffic to domains and IP addresses involved in the attack, to prevent the attack from downloading malware, even if users click the link.
Thankfully, however, the .scr file used in the initial attack no longer appears to be online. "The original file seems to have been removed, so further infections from the initial variant should not occur, but new variants may well follow," said Marcus H. Sach, director of the SANS Internet Storm Center.