Few pop stars are known worldwide by one name. There's Cher and Madonna. And there's Britney and Shakira.
The last two have another thing in common: a computer virus.
VBS/Chick-C is a Visual Basic Script worm that arrives as an e-mail attachment pretending to be a new video from Columbian songstress Shakira. The worm is similar to VBS/Britney-A, a worm that surfaced in March. The worm masqueraded itself as a picture of Spears.
VBS/Chick-C joins a long line of worms that use public interest in celebrities to spread. MyLife in March featured a picture of Bill Clinton. A highly destructive worm a while ago featured Anna Kournikova.
The author of the Shakira worm probably lifted code from Britney-A or used a similar tool kit to create the scripts, said Chris Wraight, technology consultant with Sophos. The worm spreads via e-mail using Microsoft Outlook and through Internet Relay Chat (IRC) networks.
While Shakira has crossed over to the English-speaking world, her namesake worm hasn't. The e-mail message containing the worm is in Spanish. Worms written in Spanish are rare. Most virus messages are written in English, Wraight said.
As of last night, Sophos has received no reports of the worm in the while. They expect any activity it does will be in the Spanish-speaking world.
VBS/Chick-C arrives appearing to be a help file (.chm) attached to the following message:
Subject line: Nuevo video de SHAKIRA!
He visto el nuevo video de Shakira
y me he enamorado de ella.
Esta hermosa mujer es hermosa, es impactante
me ha hecho suspirar y quiero que
igual que yo compartas esta emocion.
Attached file: SHAKIRA.CHM
When the worm is executed, Microsoft's HTML help viewer is opened displaying an HTML page featuring a request to enable Active-X so the Shakira video can run. The HTML document also features lyrics from a Shakira song called "Antologia."
After being executed, the worm copies itself to the Windows directory. It attempts to spread by e-mail using Microsoft Outlook but only sends itself to the first address in the Outlook address book.
The worm also searches drives C:, D: and E: for the presence of a file called MIRC.INI. If Shakira finds the IRC file, the worm creates a SCRIPT.INI file to send copies of the files to other IRC users.
The worm will only execute if Active-X is enabled. It's a good security practice to disable Active-X on machines, Wraight said. Someone, who needs Active-X for a legitimate reason and is sure the file is safe, can always enable it, he said.
Blocking files with the .chm extension at the gateway is another good security practice, Wraight added.