New SpamtaLoad worm starting to spread rapidly

PandaLabs has detected a huge number of emails containing the SpamtaLoad.DO trojan. In fact, this trojan was present in up to 40% of the infected messages received by PandaLabs every hour.

Panda Software’s TruPrevent Technologies have detected SpamtaLoad.DO without the need for prior updates. Those users with these technologies installed on their computers have been protected at all times.

The trojan reaches systems in email messages with variable subjects and text bodies. Some of them are as follows:

Subject: “Error”, “Good day”, “hello” or “Mail Delivery System”.

Text body: 

— Mail transaction failed. Partial message is available.

— The message contains Unicode characters and has been sent as a binary attachment.

The Trojan is contained in an executable attachment to the message with a variable name. If the user runs the file, SpamtaLoad.DO displays a false error message or opens the notepad and displays a text. This file downloads the Spamta.TQ worm to the system. This worm is designed to resend SpamtaLoad.DO to all of the email addresses that it finds on the target computer.

“This type of malicious code is not usually the end in itself. In most cases, they are used as a red herring to distract security companies. While they concentrate efforts on removing them, cyber-crooks take the opportunity to launch other malicious code silently. These other specimens are usually far more dangerous,” explains Luis Corrons, Technical Director of PandaLabs.

The members of the Spamta family of worms and trojans have been very active over the last few years. PandaLabs has detected several waves of attacks caused by this family of malicious code, the latest at the end of November 2006.

“During these waves many variants of the same family are put in circulation in a very short time. Users should act with caution, as this trojan could just be the spearhead of a new wave of attacks”, says Corrons.