"Sculpture and painting have the effect of teaching us manners and abolishing hurry"

Ralph Waldo Emerson (1803-1882), US poet
(December 13 1466, Donato di Niccolò, a.k.a Donatello,Italian sculptor)

An email offering a McDonald's discount menu, new bait to infect users

PandaLabs, Panda Security's laboratory for detecting and analyzing malware, has detected an email message claiming to be a special Christmas offer from McDonald's, but which really spreads the P2PShared.U worm.

The email subject is "Mcdonalds wishes you Merry Christmas!", while the message text reads as follows:

"McDonald's is proud to present our latest discount menu. Simply print the coupon from this Email and head to your local McDonald's for FREE giveaways and AWESOME savings."

To make the message look more authentic, the sender's address shows the "mcdonalds.com" domain. The message also contains a drop-down menu for the targeted user to choose their country, a cunning detail given the fact the emails claim to come from a multinational company such as McDonald's.

This malicious code also uses a different set of emails to spread. In this case, the message subject is "You have recieved (sic) a Hallmark E-Card from your friend".

The message text prompts users to download and run the attached message in order to open the card.

In both cases, if the user follows the instructions in the email, downloads the attachment and tries to open it, they will actually be downloading a copy of P2PShared.U and will install it on their computer.

"These emails use social engineering in different ways. Both emails attract users' attention with Christmas-related subjects. However, the first email also exploits the financial crisis by inviting users to download a coupon for gifts and savings; a very effective lure", explains Luis Corrons, technical director of PandaLabs.

Once on the computer, the worm sends out emails with the same subject and appearance to other users.

Finally, it copies itself to folders of various P2P file-sharing programs (eMule, LimeWire, Morpheus, etc.) with names relating to security software, image editing programs, program cracks, etc. This way, any user that tries to download any of these applications will be actually letting a copy of the worm into their computer.

To avoid these infections Panda advises users not to open messages from unknown senders, and in particular, not to open any attachments they might contain or click any links in them.

You can see images of this emails at: http://www.flickr.com/photos/panda_security/tags/mcdonalds/

You can receive the Panda Security news automatically by adding this URL (http://feeds.feedburner.com/PandaSecurity) to your feed reader.

For up-to-date computer security news go to the Panda Security Twitter.