Wallon worm uses Yahoo, MS to spread

Antivirus software companies issued warnings and software updates on Tuesday and Wednesday for a new worm, Wallon, that uses deceptive Web links to Yahoo.com to trick users into downloading malicious programs. Wallon first appeared last Friday and spreads in e-mail messages. However, antivirus companies reported increased instances of the worm on Tuesday and said users could be tricked by its e-mail messages, which do not contain virus-infected file attachments.

Symantec Corp. and Network Associates Inc.'s (NAI's) McAfee Antivirus Emergency Response Team said Wallon was a low-level threat. However, other companies, including Sophos PLC and F-Secure Corp., said they received numerous reports of the worm.

Like other mass-mailing worms, Wallon has its own SMTP (Simple Mail Transfer Protocol) engine and grabs e-mail addresses from files stored on compromised computers. Wallon-generated messages arrive with subject lines that read "RE" and an HTML (Hypertext Markup Language) link to the Web page http://drs.yahoo.com, according to antivirus companies.

Users who click that link set off a chain of events that results in their Web browser being redirected to a non-Yahoo Web site controlled by the virus author and designed to trigger a long-patched Internet Explorer security hole known as the "object data vulnerability." Triggering that flaw on unpatched Windows systems, however, allows the virus to download and run a file that replaces Microsoft Corp.'s Windows Media Player with a malicious program that downloads the Wallon worm's main file and changes the Internet Explorer's home page to a page maintained by the virus writer, F-Secure of Helsinki said.