Heart attack: Valentine virus strikes at email inboxes

February 14, 2007 Sophos Press Release


The Dref-AB worm uses a variety of Valentine-related subject lines.

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have warned of a widespread worm posing as a St Valentine's Day greeting which is spreading fast across the internet

The W32/Dref-AB worm has been deliberately spread via email in readiness for office workers and home computer users to find the malicious Valentine email in their inbox first thing in the morning. Since midnight GMT the Dref-AB worm has accounted for 76.4% of all malware sighted at Sophos's global network of virus monitoring stations.

Subject lines used in the attack are many and varied, but all pose as a romantic message. Some of them include "A Valentine Love Song", "Be My Valentine", "Fly Away Valentine", "For My Valentine", "Happy Valentine's Day", "My Lucky Valentine", "My Valentine", "My Valentine Heart", "My Valentine Sunshine", "Send Love On Valentines", "The Valentine Love Bug", "The Valentines Angel", "Valentine's Love", "Valentine's Night", "Valentine Letter", "Valentine Love Song", "Valentine Sweetie", "Valentines Day Dance", "Valentines Day is here again", and "Your Love on Valentine's".

Attached to the emails are files called flash postcard.exe, greeting postcard.exe, greeting card.exe, or postcard.exe which contain the worm.

"This new Valentine attack is spreading hard and fast across the net, accounting for over three quarters of all the malware we've seen at email gateways around the globe since February 14 began," said Graham Cluley, senior technology consultant. "People will be truly love sick if they let the virus run on their PC."

Opening the attached files on a PC activates the worm, which then sends itself to other email addresses found on the now infected computer. Sophos analysts believe that the worm code is designed to attempt to download further malicious code from the internet designed to take over the PC, convert it into part of a zombie network, and use it to send spam on behalf of hacking gangs.

"Cynical hackers are using the theme of Valentine's Day to conquer innocent people's computers and use them for their own money-making purposes," continued Cluley. "Your PC and the data on it is precious, and it needs to be protected. No-one should be blinded by the excitement of Valentine's Day into opening unsolicited attachments or clicking on links to unknown websites, as you could be falling deep into a hacker's trap. The best defense is common sense, combined with up-to-date anti-virus software and email filtering at your gateway."

Last month Sophos published its annual Security Threat Report, which detailed the increased use by hackers of malware in their attempts to infect computer users for the purposes of sending revenue-generating spam.

Businesses using Sophos's anti-spam solutions were all proactively protected against the Dref-AB attack, as the emails were detected with Sophos's unique Genotype® technology. Sophos's anti-virus solutions were automatically updated at 00:00 GMT, 14 February 2007.

Sophos recommends companies automatically update their corporate virus protection, and run a consolidated solution at the email gateway to defend against malware, spyware and spam.