Trend Micro has received reports of a new worm spreading in the wild. This new worm, detected as WORM_ZHELATIN.CH, propagates via Web-based email messages. Some of the affected email service providers are the following:

• AOL




• Bellsouth




• Care2




• Comcast




• EarthLink




• FastMail




• Gmail




• Hotmail




• Lycos




• Outblaze




• Rambler




• Tiscali




• Yahoo!

Users of these email service providers are advised to be wary of email messages from unexpected sources.

It is interesting to note that one of the affected email service providers is Rambler, one of the biggest Russian search engines and Web portals.

Trend Micro is conducting an in-depth analysis of this worm. More information will be posted shortly.

Update (02.23.2007):

Upon further analysis, this worm apparently connects to a certain URL in order to retrieve message details (or message templates), which it sends using the abovementioned Web-based email service providers.

It also drops TROJ_AGENT.JWE, a Trojan that is registered as a Layered Service Provider (LSP). This routine allows this worm to intercept and log network traffic before it redirects an affected user to an originally desired Web site. Apart from fully entrenching the dropped Trojan on the system, that is.

The Trend Micro URL Filtering Engine already blocks the malicious links related to this malware. However, user are still advised to avoid clicking on suspicious links even if they come from known and trusted sources.