Former president Bill Clinton has joined the ranks of Britney Spears and Anna Kournikova as a social engineering tool for virus writers.
The W32/Caric-A worm arrives disguised as a screensaver featuring Clinton, but at the same time it makes some potentially devastating changes to a user's hard drive. The worm copies itself to the Windows system folder and changes some registry keys.
The worm's payload is activated at 8 a.m. each day. It tries to delete drives C:*.*, D:*.*, E:*.* and F:*.*. W32/Caric-A also targets system files including those with SYS, VXD, OCX and NLS extensions. The resulting damage could be serious enough that the system would need to be rebuilt, said Chris Wraight, technical director with Sophos.
As of this morning, Sophos has had no reports of the worm in the United States but the company saw several cases of it in Australia and a few in the United Kingdom, Wraight said.
The worm spreads by harvesting e-mail addresses from infected machines' Outlook Address Books. The e-mail looks like this:
Subject: my life ohhhhhhhhhhhhh
How are youuuuuuuu?
look to the bill caricature vvvery verrrry ffffunny :-) :-)
i promise you will love it? ok
========No Viruse Found========
If a user clicks on the attached file "cari.scr" then a little cartoon comes up featuring Bill Clinton playing a saxophone. A bra can be seen coming out of the end of the horn.
The worm tries to mask its activities by saying the message has been scanned by McAfee.com. This should be a tip-off for users who don't use that antivirus service, Wraight said. Even people who do should be suspicious as it doesn't have the look and feel of that product.
"One should also be suspicious as it spells viruses wrong," Wraight said. Spelling errors in the body of the message should be another tip off.
W32/Caric-A highlights the dangers of opening files that purport to be screensavers. Increasingly companies are blocking such files at the gateway much like they do executables, Wraight said.