By Matthew Southwell
Kaspersky Labs has detected a new Internet worm called Tanatos that spread via e-mail attachments and local area networks (LANs).
Russia based-Kaspersky Labs has detected a new Internet worm called Tanatos. Spread via e-mail and local area networks (LANs), the worm is a 50K/byte Windows attachment that is written in Microsoft Visual C++ and arrives compressed by the UPX compression utility.According to Kaspersky Labs, the fact that Tanatos is spreading via e-mail attachment files with differing headings, body texts, file attachment names and even formats, makes it harder to identify infected e-mail messages from their external properties. “Infected messages consistently have plain text or HTML format. With the plain text version users must actively open the attached file, thereby letting the worm loose. With the HTML version, after the worm arrives in the inbox of potential victims, Tanatos waits for its e-mail message to be read, for example, in the preview window. Once this occurs, by exploiting the "IFRAME" vulnerability in theWindows Explorer's security system, it secretly launches itself and infects the machine,” says Denis Zenkin, Head of Corporate Communications ofKaspersky Labs. To spread over local area networks, the Tanatos worm goes through all network access resources and searches for the Windows system auto-run directory, where it copies itself so that it will execute the next time the infected computer is booted. This function can only work if there is a general write permission enabled for the directory. After activation, Tanatos registers itself in the system registry auto-run key so that its malicious code will activate each time Windows is booted.Kaspersky Labs says that potential victims of Tanatos are computers hosting the Klez worm, as both worms exploit the "IFRAME" vulnerability. "When taking into account the fact that Klez, to this day, still maintains first place in the list of most widespread virus programs, it is possible to expect Tanatos to do its share of damage as well", says Zenkin.