These two worms received some attention when they spread around the world on the 9th and 17th of May. Technically referred to as VBS/VBSWG.X@mm and VBS/VBSWG.Z@mm, they are both based on the same worm generating kit. However, they came from different corners of the globe, Homepage from the Netherlands and Mawanella from Sri Lanka. Why did these spread successfully when many other very similar worms fail? They arrive in email and require the user to click on the attachment in order to spread further, so maybe the text of the message is critical. Alternatively, perhaps they got a "lucky break" - infecting a victim with a large address book of gullible friends, or maybe the author was persistent in sending copies to multiple addresses until the epidemic started.
However, whichever was the actual case, it was avoidable. Any one of these methods would have prevented VBS/VBSWG.X@mm or VBS/VBSWG.Z@mm from affecting an organisation:
- Uninstall the Windows Scripting Host (see How to disable Windows Scripting Host (Sophos) or How to uninstall Windows Scripting Host (F-Secure))
- Delete executable (or just .VBS) attachments at your mail gateway (see VMyths)
- Educate users to follow the Safe Hex guidelines (see Simple steps to defend against the latest threats)
- Use our managed email security service, YKScan (see Enhanced Email Security in Hong Kong)
Of course, these methods will not prevent all viruses and worms with 100% certainty (e.g. viruses downloaded from the web, or on CD-ROMs) but if your organisation has just been hit by an email worm again, please try at least one before the next time.