Article

Clinton worm tries to delete drives, files

Edward Hurley, Assistant News Editor

Former president Bill Clinton has joined the ranks of Britney Spears and Anna Kournikova as a social engineering tool for virus writers.

The W32/Caric-A worm arrives disguised as a screensaver featuring Clinton, but at the same time it makes some potentially devastating changes to a user's hard drive. The worm copies itself to the Windows system folder and changes some registry keys.

The worm's payload is activated at 8 a.m. each day. It tries to delete drives C:*.*, D:*.*, E:*.* and F:*.*. W32/Caric-A also targets system files including those with SYS, VXD, OCX and NLS extensions. The resulting damage could be serious enough that the system would need to be rebuilt, said Chris Wraight, technical director with Sophos.

As of this morning, Sophos has had no reports of the worm in the United States but the company saw several cases of it in Australia and a few in the United Kingdom, Wraight said.

The worm spreads by harvesting e-mail addresses from infected machines' Outlook Address Books. The e-mail looks like this:

    Requires Free Membership to View

Subject: my life ohhhhhhhhhhhhh
Body:
Hiiiii
How are youuuuuuuu?
look to the bill caricature vvvery verrrry ffffunny :-) :-)
i promise you will love it? ok
buy


========No Viruse Found========
                   MCAFEE.COM

If a user clicks on the attached file "cari.scr" then a little cartoon comes up featuring Bill Clinton playing a saxophone. A bra can be seen coming out of the end of the horn.

The worm tries to mask its activities by saying the message has been scanned by McAfee.com. This should be a tip-off for users who don't use that antivirus service, Wraight said. Even people who do should be suspicious as it doesn't have the look and feel of that product.

"One should also be suspicious as it spells viruses wrong," Wraight said. Spelling errors in the body of the message should be another tip off.

W32/Caric-A highlights the dangers of opening files that purport to be screensavers. Increasingly companies are blocking such files at the gateway much like they do executables, Wraight said.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: