Anti-virus software companies have issued warnings and software updates for a new worm, Wallon, that uses deceptive Web links to Yahoo.com to trick users into downloading malicious programs.
Wallon first appeared last Friday and spreads in e-mail messages. However, anti-virus companies reported increased instances of the worm in the middle of the week and said users could be tricked by its e-mail messages, which do not contain virus-infected file attachments.
Symantec and Network Associates' McAfee Antivirus Emergency Response Team said Wallon was a low-level threat. However, other companies, including Sophos and F-Secure, say they received numerous reports of the worm.
Like other mass-mailing worms, Wallon has its own SMTP engine and grabs e-mail addresses from files stored on compromised computers. Wallon-generated messages arrive with subject lines that read "RE" and an HTML link to the webpage http://drs.yahoo.com.
Users who click the link set off a chain of events that results in their Web browser being redirected to a non-Yahoo website controlled by the virus author and designed to trigger a long-patched Internet Explorer security hole known as the "object data vulnerability". Triggering that flaw on unpatched Windows systems, however, allows the virus to download and run a file that replaces Windows Media Player with a malicious program that downloads the Wallon worm's main file and changes the Internet Explorer's home page to a page maintained by the virus writer.
In addition to stealing e-mail addresses for the purpose of spreading itself, Wallon forwards the addresses it finds on compromised systems to another e-mail address, which could be harvesting them for spammers, NAI said. After infection, Wallon also hijacks the victim's Web browser and directs it to a pornographic website, pixpox.com, NAI said.
Anti-virus companies issued updated Wallon virus definitions for their products on Tuesday and Wednesday, in addition to posting tools to remove the Wallon worm.