Panda: messaging worm disguised as postcard

- A messaging worm spreads under the guise of a postcard -
Virus Alerts, by Panda Software (http://www.pandasoftware.com) ​

MADRID, September 20 2005 - PandaLabs has, over the last, the last 24 hours, recorded numerous incidents caused by a new instant messaging worm Mepe.A, in the area of Latin America, which spreads using instant messaging programs. To follow the progress of this worm go to Panda Software's Encyclopedia, at http://enterprises.pandasoftware.com/virus_info/encyclopedia/overview.aspx?idvirus=90325

This Hispanic worm is designed to appear as a compiled Shockwave Flash file - which it isn't- and when it is run, it displays a message claiming that execution has failed. However, it continues to create a series of copies of itself in the system directory, as well as generating a series of registry keys to ensure it is executed on every system startup. What's more, it creates a file in the root directory that contains the phrase in Spanish "Dios sólo nos dio un 1 y un 0, y con eso, hemos construido un universo" (God just gave us a one and a zero and with this we have created the universe).

This worm spreads using the instant messaging applications. When the user connects to this application, the worm looks for active windows with the title 'Conversación', and sends a message in Spanish inviting the user to download a postcard from a well known website: "te mandaron un recado conmigo, ya te has de imaginar quien y si no sabes me dijo que no te dijera quien, me dijo que te lo escribio en una postal y que de aqui la abras www.[omitido].com ,bueno yo ya cumpli e?". (I have been asked to give you a message, now you must guess from who, and they told me not to tell you if you don't know and that you can open it from here www.[omitted].com, right I've done what I was told - eh?). The link sent to users takes them to a website that contains a copy of the worm, so that it is downloaded to the computer and infects it.

What's more, Mepe.A also monitors the tasks that are running in order to close windows with the following names in Spanish, "Administrador de tareas de Windows", "Panel de Control", "Editor del Registro", "Utilidad de configuración del sistema", and "Restaurar Sistema", so that the user cannot end the process related to the worm.

PandaLabs has already contacted the companies whose servers are housing this worm in order to get the URL deactivated and stop this worm from causing more infections.

To help as many users as possible scan and disinfect their systems, Panda Software offers its free, online anti-malware solution, Panda ActiveScan, which now also detects spyware, at http://www.pandasoftware.com/home/default.asp. Webmasters who would like to include ActiveScan on their websites can get the HTML code, free from http://www.pandasoftware.com/partners/webmasters.

Panda Software also offers users Virus Alerts, an e-bulletin in English and Spanish that gives immediate warning of the emergence of potentially dangerous malicious code. To receive Virus Alerts just visit Panda Software's website (http://www.pandasoftware.com/about/subscriptions/) and complete the corresponding form.

For further information about these and other computer threats, visit Panda Software's Encyclopedia.