Datom.A virus poses as Microsoft update
Windows users are being warned to be on the lookout for a virus disguised as 'copyrighted Microsoft code' and claiming to be a Windows update.
One expert has even warned that the Windows worm, Datom.A, "could mark an evolution for viruses' modus operandi".
The worm may arrive as an email purporting to be a Microsoft update, but it can also spread through open network shares. The actual worm itself consists of three components: MSVXD.exe, MSVXD16.dll and MSVXD32.dll, created using Borland C++.
"Taken separately, these files cannot be considered as malware, but together they form a pretty malicious code," said Costin Ionescu, virus researcher at BitDefender.
Aside from dropping copies of itself in all subfolders and network folders, experts have said that the worm may mark a significant evolution in virus coding because of the unusual tricks it uses to hide itself. Relevant strings of characters are stored in an encrypted format in the virus files in order to avoid disassembly and analysis, and the virus also uses a few anti-debugger tricks.
The worm uses another trick to make itself 'invisible' in the registry and kills personal firewall Zone Alarm if it is found running, before attempting to connect to the Microsoft website. It is also thought that the worm tweaks the registry and modifies the default application that opens .html files - presumably a web browser. But it is unclear exactly why it does this or why it tries to connect to Microsoft's website.
News source: vnunet.com