Security

Beware: The Reeezak worm bears some nasty gifts

Another new mass-mailing worm called Reeezak is running loose on the Internet, spreading anti-Semitic messages and attempting to disable computers that open its Christmas.exe attachment. See what this worm can do and how to avoid it.


Reeezak is yet another mass-mailing worm spreading through Microsoft Outlook address books and MSN Messenger. Unlike some other recent viruses, which didn’t cause too much damage, this worm poses a major threat. However, the worm can’t cause any damage unless people open the e-mail and the attachment propagated by this virus. But since this is the holiday season, the fake holiday greeting may trick a number of people into opening the attachment. Anyone who does open this worm risks having their computer completely disabled.

Details
The Reeezak worm, also known asW32.Reeezak.A@mm, W32.Zacker.C@mm, and W32.Maldal.C@mm, was first reported Wednesday afternoon, December 19, 2001. The message that carries the Reeezak worm looks like the following:
 
Attachment: Christmas.exe
Subject: Happy New year
Message: Hii
I can't describe my feelings
But all i can say is
Happy New Year :)
bye



According to an early Newsbytes report, one of the things that the Christmas.exe script does is to modify Internet Explorer to point to a malicious Web site on Yahoo's Geocities community homepage service. Geocities is a free Web page hosting site, and it’s simple to create a Web page anonymously on Geocities.

The Web page is titled jobreee/ZaCker.htm and it contains an anti-Semitic message. The source code of that page also attempts to use a JavaScript exploit from a known vulnerability in Internet Explorer to delete antivirus and personal firewall packages from the computer that browses the page. The Sophos.com antivirus site reports that the worm actually alters the default browser home page to the ZaCker site by changing a couple of registry keys.

In addition to deleting antivirus programs and sending the attacked computer’s IE browser to a Web site containing more malicious code, Reeezak also disables some keyboard keys and, according to a Reuters report carried on CNET, attempts to delete files in the Windows System directory, which could completely disable the computer.

Computer Associates rates this a medium- to high-risk worm, Trend Micro rates it as a medium risk, ZDNet rates it as a 6 out of 10 on the Virus Meter, and Symantec says it already has wide distribution and poses a moderate threat.

Final word
As usual, I should point out that opening unexpected attachments is never a good idea and could help avoid this virus altogether. Many organizations have antivirus software that automatically blocks .exe files, so these companies should not be affected by this worm.

Have you been hit by the Reeezak worm?
We look forward to getting your input and hearing your experiences regarding this topic. Click here to post a comment or a question about this article.

 

Editor's Picks

Free Newsletters, In your Inbox