Published: January 08 2009, 01:01 AM
by Methusela Cebrian Ferrer

Win32/Fruspam.A is a mass-mailing worm that harvests email addresses from the affected machine and uses them to communicate to remote SMTP servers for its spamming purposes.

This worm constructs spam messages like the one below by requesting images from legitimate sites – in this case, www.ikea.com.

-

Aside from this typical email worm behavior, Fruspam also targets systems running servers with IIS (Internet Information Services). The worm attempts to modify or replace the legitimate file at %Root%\inetpub\wwwroot\index.htm with its own file.

The following ‘security warning’ displays the next time a website main page is accessed:

Unfortunately, clicking on the "MS09-067" hyperlink could execute a file named “MS09-067.exe”, which is a copy of the worm.

Be aware of this trick and take the necessary security precautions to protect your system and network. Following these recommendations would be a good place to start:

• Make sure your security scanner runs with the latest signature.
• Avoid clicking dubious links and executing suspicious attachments. It is best to seek expert advice!
• For networks running SMTP, make sure the SMTP relay is properly configured to prevent spammers from using your exchange server.
• Enforce security permissions on IIS-sensitive content to prevent unwanted modification.