‘High-risk’ malware poses as Symantec update

Security watchers yesterday warned internet users to be on their guard against a "high-risk" malicious email that appears to be a Symantec virus advisory, but actually contains a payload designed to disable anti-virus updates.

The email has a spoofed from address that aims to fool unwary recipients into believing that the message is from Symantec's Norton Anti-Virus division. The message claims that the user's machine is infected with a virus called w32.aplore@mm and directs the user to a "cleaner" link that will eliminate the infection.

When a user clicks on the link in the suspect virus notification, an executable is downloaded that modifies the user's host file. The changed host file disables the user's anti-virus software updates, leaving the user susceptible to further malicious activity.

This is the latest version of the anti-virus killer, according to security firm SurfControl, which located the malicious software on a free hosting service mirroring a Symantec update site. The site has now been suspended by the web host.

Max Rayner, chief information officer and executive vice president of product and service delivery for SurfControl, said that the malware was first detected by the firm's staff in Asia who passed details to its Europe, Middle East and Asia team, who then transferred the findings to the American team that verified the scam.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.