# {USA ONLY] VIRUS/WORM advisory (IRS worm)



## gyrgrls (Nov 22, 2004)

Not too many of my online friends have seen this yet,
and it doesn't show up in virus daefinition databases,
because it is polymorphic.

It is a worm. Here's how it works:
You will receive an email "From" the
Internal Revenue Service. The body of the email will state
something to the effect of you owing taxes, underpaying 
taxes, or failing to file...

...you are taken to a fake website, and are asked to
"download a fraud form" from the fake site. Well, it's
an executable file. In most cases, it's an exe extension,
but it might be xls, shs, or doc extension.

In any event, if you open it on a Windows machine, it will
install a MASS-MAILING TROJAN on your computer, thus
replicating itself by turning your machine into a spamming
zombie. While this worm itself is benign, it is not good, since
it wastes bandwidth and hard drive space, even though all
it does is replicate itself via email address books. The trojan
will automatically run the next time you start your computer,
and scan your address book for email addresses, cloak the
sending (originating) address, and send a copy of itself to
everybody in your address book. It seems to target users
of Outlook, Outlook Express, Yahoo, and Gmail. Pegasus 
and Eudora mail listts seem to be immune. Linux users do 
not seem to be affected. I am unsure about OS X, since this
is a brand new worm - but it is spreading like wildfire. 
I haven't seen anything this ridiculous since the incarnation
of the "Happy New Year" worm, in 1999.

This virus/worm is so new, that many virus scanners still
won't recognize it. 

The best way to avoid this worm, as with others, is, of course,
to open emails from strangers with extreme caution, and to NEVER 
run an exe file or open a DOC file, unless it's from someone you know,
and you know that that someone is smart enough to weed out malware.

Never open an executable attachment from an unknown source,
especially if it's in an email attachment. It's just too much risk.



this article has been scanned for viruses


"Daddy, can I hit 'send' ?"

"Daddy, what does 'Formatting C:/' mean?"

"Illegal operation"? Am I going to jail? "No but you should be chrooted for life."


----------



## gyrgrls (Nov 22, 2004)

More on this later.

It doesn't seem to steal passwords or infect
other files, but give it time, and it'll soon contain
a destructive payload, much like the "sircam" trojan.

This is a trojan horse, and should not be taken lightly.
I have several copies (variants) on my goat right now,
and am in the process of disassembling them.
I have also submitted them to both Alwil and Symantec.

Do NOT try this yourself, unless you are an expert.
Leave it to the experts, who can safely deal with crap
like this. An email worm is nothing to fool with.


----------



## JohnWill (Oct 19, 2002)

One should NEVER open any unknown email attachments, and no financial institution or the government ever sends official correspondence with attachments by email, and most CERTAINLY not compressed or executable attachments!

This is yet another example of social engineering winning the battle because of all the ignorant people that don't think before they click!


----------



## gyrgrls (Nov 22, 2004)

You know that, John, a surely as I do, but sadly, you are correct
about social engineers preying on the ignorant.
It will only get worse, I'm afraid, as computers get cheaper and faster. ;`(


----------



## gyrgrls (Nov 22, 2004)

Oh, BTW, the trojan sits on a fake website,
while the email worm just generates emails 
that link to the fake site(s).

Dangerous code can even be imbedded into a document with
image tags, or with java, and some of the older browsers
are vulnerable, as are earlier versions of Windows.

People who use computer and the internet just need
to be educated properly.


----------



## win2kpro (Jul 19, 2005)

gyrgrls said:


> People who use computer and the internet just need
> to be educated properly.


Proper education needs to be; Run a good antivirus and spyware program, but most importantly regular images of your system with a program like Acronis True Image to external media can save a lot of misery.


----------



## JohnWill (Oct 19, 2002)

win2kpro said:


> but most importantly regular images of your system with a program like Acronis True Image to external media can save a lot of misery.


Once a week an automated run makes my image, and I have it configured to keep them 4 deep so I can go back a month if necessary.  That's in addition to my data backups...


----------

