The Zhelatin virus is challenging Bagle and Warezov for the dubious honour of number one virus after eight new variants were detected in the past four days, security experts have warned.
Kaspersky Lab said that Zhelatin.s, .t and .u were detected on 8 February, while Zhelatin.v was detected on 9 February. Four more variants, .w to .z, were detected during the weekend of 10-11 February.
The most significant of these is Zhelatin.u, which Kaspersky Lab currently rates as a 'moderate' risk.
Zhelatin first appeared on 19 January and 26 variants have so far been detected by Kaspersky since 22 January.
Zhelatin.u spreads via email as an infected attachment. The subject line, message body and attachment are variable.
The worm itself is a Portable Executable, between 5KB and 54KB in size, packed with UPX. The worm copies itself to the hard disk and modifies the registry to load automatically on start-up.
The worm terminates a range of antivirus and firewall applications and adds a rule to the system firewall to prevent its own activity from being blocked.
It also launches an SMTP proxy server on TCP port 25, allowing a remote hacker to use the infected machine as part of a spam botnet.
Zhelatin.u registers itself on the remote site, sending the network address of the victim machine before downloading a file containing the botnet configuration. This file is used to get data from the victim machine and to send spam.
The worm uses a rootkit to hide its own processes, files and registry changes. Kaspersky detects this component as 'Email-Worm.Win32.Banwarum.f'.
David Emm, senior technology consultant at Kaspersky Lab, said: "Zhelatin.u is just a re-packed version of an earlier Zhelatin variant. It is broadly similar in behaviour to several earlier variants, although there are significant differences.
"The Proactive Defense Module in KAV 6.0 and KIS 6.0 is able to block this new threat without the need for new signatures. Nevertheless, we recommend that users update their antivirus databases as soon as possible."
Microsoft comes up with a new way to foist its unloved and little used Edge web browser on people
Facebook suspends Cambridge Analytica following weekend claims that it illegally harvested information from 50 million users
Insider claims Cambridge Analytica used academic app to filch Facebook data of 50 million users
Is the Samsung Galaxy S9+ worth its high price?