Kaspersky Lab has detected a new variant of Zhelatin spreading

06 Feb 2007
Virus News

Kaspersky Lab, a leading developer of secure content management solutions, has detected that Email-Worm.Win32.Zhelatin.o is spreading rapidly. The worm spreads as an attachment to email messages.

The worm, which was detected by Kaspersky Lab virus analysts, is the latest modification in the Zhelatin family. Just like many other email worms, it uses social engineering, with message topics and subjects being designed to attract users' attention and cause them to open the attachment.

When the attachment is opened, the worm copies itself to the hard disk; it will be automatically launched when the victim machine is rebooted. The worm also harvests email addresses from the victim machine, and sends copies of itself to these addresses. As part of its malicious payload, the worm also disables firewall and antivirus services on the infected computer. It uses rootkit technology in order to mask the worm's presence in the system. Zhelatin.o also infects executable files (.exe) and files with the .scr extension which it finds in the system by copying its code to these files.

It should be noted that the Proactive Detection Module in Kaspersky Anti-Virus 6.0 and Kaspersky Internet Security 6.0 blocks the virus without using signatures. Nevertheless, detection and disinfection routines for this malicious program have been added to Kaspersky Anti-Virus antivirus databases. Due to this epidemic, users are recommended to update their antivirus databases, and not to open attachments to email messages which come from unknown users.

A detailed description of Zhelatin.o is available on Viruslist.com.