Anti-virus software companies have issued warnings and software updates for a new worm, Wallon, that uses deceptive Web links to to trick users into downloading malicious programs.

Wallon first appeared last Friday and spreads in e-mail messages. However, anti-virus companies reported increased instances of the worm in the middle of the week and said users could be tricked by its e-mail messages, which do not contain virus-infected file attachments.

Symantec and Network Associates' McAfee Antivirus Emergency Response Team said Wallon was a low-level threat. However, other companies, including Sophos and F-Secure, say they received numerous reports of the worm.

Like other mass-mailing worms, Wallon has its own SMTP engine and grabs e-mail addresses from files stored on compromised computers. Wallon-generated messages arrive with subject lines that read "RE" and an HTML link to the webpage

Users who click the link set off a chain of events that results in their Web browser being redirected to a non-Yahoo website controlled by the virus author and designed to trigger a long-patched Internet Explorer security hole known as the "object data vulnerability". Triggering that flaw on unpatched Windows systems, however, allows the virus to download and run a file that replaces Windows Media Player with a malicious program that downloads the Wallon worm's main file and changes the Internet Explorer's home page to a page maintained by the virus writer.

In addition to stealing e-mail addresses for the purpose of spreading itself, Wallon forwards the addresses it finds on compromised systems to another e-mail address, which could be harvesting them for spammers, NAI said. After infection, Wallon also hijacks the victim's Web browser and directs it to a pornographic website,, NAI said.

Anti-virus companies issued updated Wallon virus definitions for their products on Tuesday and Wednesday, in addition to posting tools to remove the Wallon worm.

Find your next job with techworld jobs