The Waledac worm spreads when users are duped into visiting a website claiming to contain a Christmas card, according to a SANS Internet Storm Center blog post Thursday. However, the card doesn't appear, and users are asked to click on a link, which is actually the malware executable.
First signs of the attack emerged on Sunday, but the malware writers began registering their host domains weeks ago, SANS incident handler Maarten Van Horenbeeck said in the blog.
Pierre-Marc Bureau, a researcher at anti-virus vendor ESET, said the worm contains some similarities to the Storm Worm -- which was known to spread via fake greeting cards during popular holidays -- including using a redirection site and fast-flux capabilities to hide its IP addresses.
However, unlike Storm, Waledac does not use a peer-to-peer network to communicate. It instead uses an open source executable packer and cryptography to hide its tracks, Bureau said Sunday on the ESET Threat Blog.
"What we are observing today is proof that malware authors are learning from each other's errors and successes," he wrote. "After seeing that Storm was able to infect thousands of systems last year with Christmas-related social engineering, the criminals behind other malware families are now trying to emulate that success."
Once installed on a user's machine, the worm searches for email addresses and then spams copies of itself to those addresses, according to anti-virus provider F-Secure. It also can steal online banking passwords and has targeted a number of banks across the globe.
Van Horenbeeck, though, said the number of infections should remain low because the attack requires human interaction and arrived on the scene "fairly late in the holiday cycle." Still, he suggested businesses block the download of "ecard.exe," as well as the domains being used in the attack. His SANS blog post listed a number of affiliated domains.
Also, enterprises should ensure their anti-virus and anti-spam solutions are up to date, Van Horenbeeck said. IT personnel at companies additionally should educate their users about scam emails and implement bans on untrusted code being able to execute on corporate machines.