Virus Capitalizes On Iraq War Interest
Viruses got you down? Spyware making your system sluggish? Post here for support on all your security needs.

Moderators: Management, Forum Experts

Post a reply

Virus Capitalizes On Iraq War Interest

Postby lilwip on Thu Mar 20, 2003 5:01 pm

A new e-mail worm spreads by capitalizing on interest in the war with Iraq and related issues, British antivirus vendor Sophos warned.

Some e-mails containing the W32/Ganda-A worm contain subject lines and content designed to entice the user with the promise of Iraqi spy photos, screensavers expressing patriotic U.S. sentiments or critical of the Bush administration, and warnings about Nazi propaganda being spread via CD-ROM to children or over the Internet. The e-mails also promise Linux information for Windows users, and screensavers of playing kittens.

Sophos said it has only received one report of the worm from the wild.

One of the e-mail messages has the subject line "Spy pics," with the message text, "Here's the screensaver i told you about. It contains pictures taken by one of the US spy satellites during one of it's missions over iraq. If you want more of these pic's you know where you can find me. Bye!"

Another message, with the subject line, "Disgusting propaganda," reads, "Hello! My 12 year old doughter received this screensaver on a CDROM that was sent to her through advertising. I find it disturbing that children are now being targets of nazi organizations. I would appreciate to hear from you on this matter, as soon as possible. Thank you."

More e-mails, along with more information about the worm, are available from the Sophos Web site.

The worm "sends a rambling diatribe to a small set of e-mail addresses apparently belonging to Swedish journalists. These e-mails do not contain the worm as an attachment," Sophos said.

It contains the text, "WORM.SWEDENSUX Coded by Uncle Roger in Hrnsand, Sweden, 03.03. I am being discriminated by the swedish schoolsystem. This is a response to eight long years of discrimination," Sophos said.

The worm spreads by sending itself to e-mail addresses collected from EML, HTM*, DBX, and WAB files on an infected computer. It creates two copies of itself in the Windows folder, one named scandisk.exe and another an EXE file consisting of eight randomly chosen lowercase letters. It changes the Windows registry so that it loads automatically every time the computer is started.

The worm tries to kill running instances of popular antivirus applications, Sophos said.

Article Source: InternetWeek
=====

Image
User avatar
lilwip
PROfessional Member
 
Posts: 1419
Joined: Thu Aug 08, 2002 1:15 pm
Location: Independence, Missouri
Top

Postby kanaloa on Thu Mar 20, 2003 5:19 pm

Sure enough the Virus Ticker on the Front Page lists it too.

Thanks for the heads up.
"With realization of one's own potential and self-confidence in one's ability, one can build a better world." -Dalai Lama
Image

Follow me on Twitter: http://twitter.com/JCDerrick
User avatar
kanaloa
President
 
Posts: 24896
Joined: Sat Mar 09, 2002 9:18 pm
Location: Columbia, SC
Real Name: John Derrick
Top
Post a reply

Return to Security & Virus

Who is online

Users browsing this forum: No registered users and 0 guests