Known as as BadTrans.B, the worm installs hacking software on infected computers. It hit home e-mail users hard last weekend, but the damage to corporate consumers was less than previously anticipated.
"We have captured upward of 13,000 of these (infected messages) since we first started seeing them, but for the most part I think corporate users are going to be just fine," said John Harrington, with e-mail screening service MessageLabs. "It is probably going to affect home users more than anyone else because they tend not to update their (virus protection) as often as corporate users."
While the 13,000 figure is significant, it would have been even higher had the malicious program spread through company networks.
"When it first broke, it was one of the fastest-propagating worms that we had seen to date, but that has slowed a bit," Harrington said.
MessageLabs said it has seen around 30,000 copies to date in about 90 countries.
The worm is spreading mainly due to people's relaxed approach to security during the holiday season, said April Goostree, virus research manager for computer security company McAfee.com.
"The fact that it comes around this time makes more end-users vulnerable, because they are expecting holiday e-mails," she said.
Reports of the worm, a variant of the original BadTrans virus that started spreading last April, started coming in Friday night. By Saturday, Goostree said, McAfee.com had intercepted several hundred copies of the worm. On Sunday, reports of worm infections were coming in at a rate of three to five every minute.
Data provided online by e-mail screening service MessageLabs showed the virus accelerating quickly, with more than 700 infected e-mail messages intercepted on Saturday and several thousand stopped on Sunday.
The numbers knocked SirCam from the No. 1 slot in MessageLabs' daily rankings of the Top 10 bugs, a spot the persistent e-mail worm has held for more than four months.
The worm doesn't play on the holidays, however. Aside from a handful of general names for the e-mail attachment that spreads the worm--such as "card" and "pics"--the worm makes no overt connection to either Thanksgiving or Christmas.
While Badtrans.B is not destructive, it does install a keylogger, a program that records what a person using the infected PC types and then sends the information to the virus writer's e-mail address. The key-logging program, known as Backdoor-NK.server, focuses specifically on four software functions that are used by programs to allow a person to enter a password, so it mainly records account information entered.
The FBI is reportedly using just such a program to collect the digital keys to suspected criminals' accounts.
A PC user will first encounter the worm as an e-mail message--possibly from someone he or she knows--with an executable attachment. The worm propagates by sending itself as a reply to any unread messages in the person's Outlook mailbox. It also sends itself to e-mail addresses culled from images of Web pages contained in the "My Documents" folder and the browser's cache.
The virus uses a vulnerability in Microsoft's Internet Explorer 5.01 and 5.5 to automatically execute itself on PCs that don't have a patched Web browser. Opening the e-mail in a separate window or Outlook's preview pane will cause the worm to execute on unpatched machines.
The vulnerability had also been used by the Nimda worm as one of its four ways of spreading.
"That's the vulnerability du jour," said Roger Thompson, lead antivirus researcher for security firm TruSecure.
On PCs with patched Web browsers, a dialog box will open, asking the person what to do.
Staff writer Wendy McAuliffe contributed to this report from London. Staff writer Sandeep Junnarkar contributed from New York.