Updated Monday, Jan. 22, with details on the malware's spread over the weekend.
A Trojan horse that started spreading Friday in emails exploiting concern about European storms continued its advance over the weekend by adopting a wider variety of fake news headlines, according to Finnish antivirus firm F-Secure Corp.
"The weekend has been very busy with Storm," F-Secure said in its blog. "We have lately discovered new variants that have started to use kernel-mode rootkit techniques to hide their files, registry keys, and active network connections."
The Trojan is now using the following headlines in an attempt to trick email recipients into clicking the malicious attachment:
- Russian missle shot down Chinese satellite
- Russian missle shot down USA aircraft
- Russian missle shot down USA satellite
- Chinese missile shot down USA aircraft
- Chinese missile shot down USA satellite
- Sadam Hussein alive!
- Sadam Hussein safe and sound!
- Radical Muslim drinking enemies' blood
- U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
- U.S. Southwest braces for another winter blast. More then 1000 people are dead
- Venezuelan leader: "Let's the War beginning"
- Fidel Castro dead.
- Hugo Chavez dead
Footage of F-Secure's computerized world map is available on YouTube. It shows glowing dots dramatically spreading across the map as the malware proliferates across the glob.
The attackers initially spammed out hundreds of thousands of emails with a subject line that read, "230 dead as storm batters Europe." The emails contain a malicious attachment that will infect the computer if the user opens it.
Mikko Hypponen, head of research at F-Secure, was amazed by how effectively the bad guys capitalized on breaking news about the storm.
"What makes this exceptional is the timely nature of the attack," he told the Reuters news agency. He said thousands of computers were affected around the world, mostly private machines. He told Reuters that most users won't notice the malware, which is designed to creates a back door on the computer that can be used later to steal sensitive data or launch spam runs.
The malware attack also kept researchers busy at UK-based antivirus firm Sophos, which reported seeing malicious files attached to emails with names such as Full Clip.exe, Full Story.exe, Full Video.exe, Read More.exe, and Video.exe.
"On average, one in every 200 emails that people have received since midnight [Friday] are likely to be infected by this Trojan horse," Graham Cluley, senior technology consultant for Sophos, said on the company's Web site. "Receiving or reading the emails themselves does not mean that you will be infected. However, users must be very careful not to click on the attached file inside the emails as that will install a Trojan horse on their computer."