Here’s one of the messages our email honeypot captured earlier this day:

The attachment (which may vary in filename from one email to another) actually contains WORM_NUWAR.AOP, which, as noted in the previous blog, camouflaged itself in password protected ZIP files to bypass immediate detection by antivirus applications.

However, this particular email that is being sent around has one more trick up its sleeve. While the password protected ZIP file is a mechanism to avoid detection by antivirus applications, the main body of the email is actually an image file (*.GIF). The use of an image file to contain the actual message text is a technique that allows it to bypass email filters such as antispam applications. The combined techniques that are employed by this particular malware increase its chances of evading security filters within a network and eventually end up in a user’s inbox.

We recommend that users refrain from opening the attachments of emails coming from untrusted sources.