New worm spreading around

A new worm is spreading around, using email as its propagation vector. This worm arrives as an attachment to an email with various and ambiguous subjects (e.g. “Hello”, “Test”). The name of the attached file varies accordingly from one email to another but all attachment names make use of double extensions. When executed, it drops the file rsmb.exe in the Windows folder and attempts to download a file, which may be possibly malicious. Initial analysis reveals that the malware seems to target individual email addresses in a particular domain by concatenating a common first name (e.g. john, mary, ann, etc.) to a well-known domain name. Below is a sample email:


TO: smith@[domain-name].com


SUBJECT: hello


BODY: [none]


ATTACHMENT: text.dat.pif


Update (Jasper, Mon, 28 Aug 2006 05:00:16 PM)

This threat will be detected as WORM_STRATION.AP. Its detection pattern is available in CPR 3.694.01