The 'hacker tool' worm that gurned

The old English practice of gurning, in which participants pull a funny or scary face, is being used by a newly discovered worm to distract PC users while their machines are being compromised.

The Wurmark-F worm, a variant of Wurmark-D which began spreading last month, arrives as a zipped email attachment and displays a picture of an old man pulling an impressive gurn.

Meanwhile the worm installs itself in the Windows system folder, along with a new version of the Rbot worm, which spreads via networks without the need for user interaction.

Wurmark-F then harvests email addresses, except those of antivirus companies, and emails itself out. The Rbot payload immediately starts to look for vulnerable computers on the network and installs a Trojan to allow the PC to be used remotely for hacking or spamming.

"This is a nasty one because it's a carrier for a much more dangerous worm," said Graham Cluley, senior technology consultant at IT security firm Sophos.

"The Rbot worm is a tremendously powerful hacker tool and there are a lot of variants out there. It's very popular in the hacking and spamming community because it gives the hacker full control of the PC."

Wurmark-F is spreading through the English speaking world, but Cluley warned that the Rbot worm it carries is far more dangerous.

Emails have the subject line 'Hhahahah lol!!!!', 'Rate My Pic', 'Your Pic On A Website!!' or 'You have an Admirer'.

The choice of a gurning picture may indicate that the worm's writer is British. Gurning is an ancient Cumbrian practice of pulling a funny face and is famously practised in the village of Egremont at its annual crab apple fair.

Last year a record 29 contestants turned up from Australia, New Zealand, Sweden and the UK to contest the men's Gurning World Championship. Cumbrian local Tommy Mattinson clinched the prize.

More information about Wurmark-F is available from Sophos here.