Email security vendor Trend Micro recently released three new virus alerts in the same week. The culprits were: WORM_MYTOB.ED, WORM_MYTOB.EG and WORM_WURMARK.J. All three had one thing in common: they attempted to trick users into opening attachments by employing cleverly packaged email subject lines.

While it may be one of the oldest tricks in the book, using enticing email subject headers remains one of the most effective ways internet worms are able to spread around the world so quickly, infecting corporate networks and resulting in millions of dollars in damage to businesses each year.

By analysing infection rates, Trend Micro found that the most common lure used by Internet worms today remains sexually explicit emails including tantalizing image files. Some of today’s most prolific worms including SOBER, NETSKY, MYDOOM, LOVGATE and newcomer WURMARK all use this method to spread.

The prevalence of email with sexually explicit subjects is overwhelming. In 2002, the BBC reported that a leading IT company had suspended 150 of its employees for using company email accounts for sending and receiving inappropriate jokes or pornographic pictures. It is no wonder then, that almost every major internet worm today uses this method of propagation. Even when the email subjects are as simple as “just for you” or “pics,” an enormous number of curious recipients are lured into opening infected files.
Malwares that typically use this type of email subject line include: SOBER, NETSKY, MYDOOM, BAGLE, LOVGATE, WURMARK and MIMAIL.

Other major email lures for the unsuspecting include:

System Notifications: Subjects range from notifications that your email account has expired to returned mail notifications, account suspension, password update notifications, etc. These emails often include warnings such as: *IMPORTANT*, Notice: **Last Warning**, etc., for added emphasis.
Malwares that typically use this type of email subject line include: MYTOB, SOBER and BAGLE.

Replies from Known Senders: Subjects typically begin with the “Re:” prefix to fool users into believing the email is a reply to an email sent earlier. Headers may include “Your pictures,” “Your account,” an approval letter from a superior, or a simple “Hi.” Malwares that typically use this type of email subject line include: SOBER, NETSKY, MYDOOM, BAGLE, LOVGATE and SOBIG.

Media Event: Whenever a major news event occurs, invariably a malware will take advantage. Recently, the WORM_SOBER.S has been spotted posing as FIFA (the world football association), giving away free tickets to World Cup matches. Major news events that have been used by malwares include: Yasser Arafat’s death, the 9/11 attacks, the US-Iraq War and hidden camera photos of famous personalities.