A new e-mail worm spreads by capitalizing on interest in the war with Iraq and related issues, British antivirus vendor Sophos warned.
Some e-mails containing the W32/Ganda-A worm contain subject lines and content designed to entice the user with the promise of Iraqi spy photos, screensavers expressing patriotic U.S. sentiments or critical of the Bush administration, and warnings about Nazi propaganda being spread via CD-ROM to children or over the Internet. The e-mails also promise Linux information for Windows users, and screensavers of playing kittens.
Sophos said it has only received one report of the worm from the wild.
One of the e-mail messages has the subject line "Spy pics," with the message text, "Here's the screensaver i told you about. It contains pictures taken by one of the US spy satellites during one of it's missions over iraq. If you want more of these pic's you know where you can find me. Bye!"
Another message, with the subject line, "Disgusting propaganda," reads, "Hello! My 12 year old doughter received this screensaver on a CDROM that was sent to her through advertising. I find it disturbing that children are now being targets of nazi organizations. I would appreciate to hear from you on this matter, as soon as possible. Thank you."
More e-mails, along with more information about the worm, are available from the Sophos Web site.
The worm "sends a rambling diatribe to a small set of e-mail addresses apparently belonging to Swedish journalists. These e-mails do not contain the worm as an attachment," Sophos said.
It contains the text, "WORM.SWEDENSUX Coded by Uncle Roger in Hrnsand, Sweden, 03.03. I am being discriminated by the swedish schoolsystem. This is a response to eight long years of discrimination," Sophos said.
The worm spreads by sending itself to e-mail addresses collected from EML, HTM*, DBX, and WAB files on an infected computer. It creates two copies of itself in the Windows folder, one named scandisk.exe and another an EXE file consisting of eight randomly chosen lowercase letters. It changes the Windows registry so that it loads automatically every time the computer is started.
The worm tries to kill running instances of popular antivirus applications, Sophos said.
Article Source:
InternetWeek
