New Worm Spreads By Replying To All Mail

worm making the rounds on the Internet not only mass-mails itself to addresses it hijacks on infected machines, but spreads by replying to unread E-mail messages in the user's in-box, security experts said Wednesday.
The Lovegate worm, which was first discovered last week and reappeared in repackaged, copycat form Tuesday, uses an auto-responding technique as well as the traditional address book theft to propagate, said Alfred Huger, VP of engineering at Symantec Corp.'s virus watch group.

"The two together are pretty vicious. This is really clever," said Huger, who called it another example of how hackers come up with ingenious ways to spread malicious code.

The latest version of the worm, dubbed Lovegate.w by Symantec and Lovegate.ab by rival security firm Network Associates, can sniff for unread messages in MAPI-compliant E-mail programs, such as Outlook and Outlook Express, then send itself as a reply to any in-bound message.

Auto-responders within worms aren't new, said Jimmy Kuo, a research fellow at McAfee--the virulent Klez worm of 2001 used the technique-- but the combination of mass mailing and auto-responding means that Lovegate may spread fast and be tougher to spot.

"By responding to real mail, the worm doesn't have to come up with its own Subject line," said Kuo. "That makes it harder for users to identify."

Worms equipped with auto-responders, added Kuo, tend to have a longer life span. Klez, for example, topped the virus charts for nearly a year.

Lovegate also uses multiple attack vectors, able to spread not only through E-mail, but also through network shares. The worm also uses other standard malware tactics, including disabling anti-virus software it finds on the targeted system and hiding within Zip archive files.