Social engineering is behind the slow crawl to success for the latest worm to hit New Zealand's shores.
Discovered earlier this month, reports indicate that it is almost reaching critical mass now in New Zealand. W32.Gibe@mm is a worm that transmits itself using the Microsoft Outlook address book. The worm is no more sophisticated than any other seen in the past year, but it is slowly infecting more users because of its clever use of text taken from a Microsoft security bulletin, says Christchurch-based virus expert Nick FitzGerald.
"To the average user it looks like the sort of thing they'd expect from Microsoft, but there are a few tell-tale signs that give it away as a fake," FitzGerald says.
The first of these giveaways is the most obvious: Microsoft does not send out unsolicited email with attachments.
"Microsoft has a policy of not distributing updates by attachment - there's a page that goes into all the gory detail as to why on their website," says FitzGerald.
He says some users are being fooled into believe the attachment is real because the text includes a link to a Microsoft web page.
"But the address for the sender is wrong and Microsoft typically signs all its email when it does make such an announcement to a mailing list or news group, with an encrypted signature of some kind."
The worm attempts to copy itself to all locally mapped remote drives. Anti-virus firm Symantec rates the worm as moderately dangerous, but with a wide distribution and FitzGerald believes those people that are being fooled by it are more likely to be small businesses and home users.
"When we get those sudden explosions of incidences of a worm it is typically because its got into a corporation somewhere with a huge address book list. This kind of slow burn is more likely to be from the SOHO market instead."
FitzGerald says the Gibe worm is hanging around for a lot longer than he or any of his colleagues had anticipated.
"It's got staying power for some reason and I'd say it's because of the social engineering aspect. There have been other viruses pretending to be security updates but this one seems to have all the ingredients, including luck, to last for a while."