Antivirus vendors' worm alert email carries worm

A Russian antivirus company apologised late last week for an emailed virus alert that was infected with the very worm the message was supposedly designed to warn against.

Kaspersky Labs said the message, sent on Thursday to subscribers of the company's "Virus News" email dispatch, had actually been sent by hackers masquerading as the company. The hackers had managed to break into Moscow-based Kaspersky's computer system and steal the mailing list for the newsletter, the company said.

"We are conducting an investigation to reveal the sources of this attack and are taking the necessary measures... to ensure that this type of attack will never succeed in the future," Eugene Kaspersky, founder and head of research for the company, said in an advisory about the email.

To date, the company hasn't heard of any infections resulting from the tainted message, but it has offered free technical services to anyone who does fall prey to the viral prank.

The infected message, sent to some thousands of subscribers, carried a copy of the recently discovered Braid worm.

Braid, also known by Kaspersky Labs as Bridex, hasn't spread very widely. UK-based email service provider MessageLabs intercepts such hostile attachments for its client companies and saw only a little more than 2,000 copies of the virus in the last day or so of last week.

That places the malicious program at number five on MessageLab's daily Top 10 list; the Klez virus leads the pack with over 9,000 infected emails intercepted by the company in the same time period.

A variant of the FunLove virus, Braid is written in Visual Basic Script and has its own email engine. That means it can spread itself even if a victim's computer doesn't have an email client such as Outlook installed. The virus infects computers running on Windows, makes several copies of itself on the hard drive, searches for email addresses in a variety of files and then sends itself out to those addresses.

But Thursday's mass mailing of the virus wasn't the result of an infection, said Denis Zenkin, director of marketing for Kaspersky Labs. It was a deliberate act by online vandals.

"Some hackers got into our web server and got the addresses of our subscribers," Zenkin said, "and these hackers sent a message with the Bridex worm to all of the subscribers."

Zenkin said he doesn't know how the hackers infiltrated the web server, which ran the Unix variant FreeBSD and the mail program Postfix.

However, he did say such attacks are no longer a rare occurrence, especially in Russia.

"We get dozens and dozens of attacks every day," Zenkin said, trying to put a positive face on the whole incident.

"This case shows that Kaspersky Labs is growing and becoming more and more famous and attracts more attentions from the hackers," Zenkin said.

Robert Lemos writes for News.com