Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

New Worm Promises World Cup Tickets

Banwarum's goal is to steal email addresses and flood the network with traffic

If you've got soccer fans in your enterprise, you had better check your antivirus software quick.

A new worm dubbed "Banwarum" or "Zasrancheg" began circulating around the Web last week and already has produced three variants, according to researchers and antivirus software makers. Most of the vendors said they have created updates that handle the worm, but several pre-update infections have also been reported.

The worm sends itself to users as an email message, usually in German, inviting them to access a password-protected archive that contains electronic tickets to the World Cup soccer games in Germany next month. The password for the archive is included in the email.

If a user accesses the archive, the worm steals email addresses from the victim's machine and spreads more messages to those addresses. Some of the worm's messages are similar to those sent by the Sober worm, according to antivirus vendor F-Secure. Like Sober, Banwarum could potentially result in a debilitating flood of message traffic across an enterprise, though no large-scale problems have been reported as of yet.

When accessed, the worm drops its main component into the Windows System directory as the file "mszsrn32.dll." This file is then injected into the Windows logon executable, making it possible for the DLL to get control before the user logs on to Windows.

The worm has spawned three variants: Banwarum.A, .B, and .C, but antivirus vendors such as Aladdin, F-Secure, McAfee, Secunia and Symantec all say they have updated their software to stop its spread. Symantec reported fewer than 50 infections in only a couple of locations. The vendors generally reported the risk to be low.

Although the messages are in German, the original worm file uses the Russian word "Zasrancheg," which suggests it may have been created in Russia.

— Tim Wilson, Site Editor, Dark Reading

Organizations mentioned in this story

Aladdin Knowledge Systems Ltd. (Nasdaq: ALDN) F-Secure Corp.

  • McAfee Inc. (NYSE: MFE)
  • Secunia
  • Symantec Corp. (Nasdaq: SYMC)

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    7 Tips for Infosec Pros Considering A Lateral Career Move
    Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
    For Mismanaged SOCs, The Price Is Not Right
    Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    IT 2020: A Look Ahead
    Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
    Flash Poll
    How Enterprises are Attacking the Cybersecurity Problem
    How Enterprises are Attacking the Cybersecurity Problem
    Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2015-3154
    PUBLISHED: 2020-01-27
    CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
    CVE-2019-17190
    PUBLISHED: 2020-01-27
    A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
    CVE-2014-8161
    PUBLISHED: 2020-01-27
    PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
    CVE-2014-9481
    PUBLISHED: 2020-01-27
    The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
    CVE-2015-0241
    PUBLISHED: 2020-01-27
    The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...