New Worm Promises World Cup Tickets

If you've got soccer fans in your enterprise, you had better check your antivirus software quick.

A new worm dubbed "Banwarum" or "Zasrancheg" began circulating around the Web last week and already has produced three variants, according to researchers and antivirus software makers. Most of the vendors said they have created updates that handle the worm, but several pre-update infections have also been reported.

The worm sends itself to users as an email message, usually in German, inviting them to access a password-protected archive that contains electronic tickets to the World Cup soccer games in Germany next month. The password for the archive is included in the email.

If a user accesses the archive, the worm steals email addresses from the victim's machine and spreads more messages to those addresses. Some of the worm's messages are similar to those sent by the Sober worm, according to antivirus vendor F-Secure. Like Sober, Banwarum could potentially result in a debilitating flood of message traffic across an enterprise, though no large-scale problems have been reported as of yet.

When accessed, the worm drops its main component into the Windows System directory as the file "mszsrn32.dll." This file is then injected into the Windows logon executable, making it possible for the DLL to get control before the user logs on to Windows.

The worm has spawned three variants: Banwarum.A, .B, and .C, but antivirus vendors such as Aladdin, F-Secure, McAfee, Secunia and Symantec all say they have updated their software to stop its spread. Symantec reported fewer than 50 infections in only a couple of locations. The vendors generally reported the risk to be low.

Although the messages are in German, the original worm file uses the Russian word "Zasrancheg," which suggests it may have been created in Russia.

— Tim Wilson, Site Editor, Dark Reading

Organizations mentioned in this story