Two new worms carry international flavor

Two new worms carry international flavor

Few pop stars are known worldwide by one name. There's Cher and Madonna. And there's Britney and Shakira.

The last two have another thing in common: a computer virus.

VBS/Chick-C is a Visual Basic Script worm that arrives as an e-mail attachment pretending to be a new video from Columbian songstress Shakira. The worm is similar to VBS/Britney-A, a worm that surfaced in March. The worm masqueraded itself as a picture of Spears.

Italian worm deletes files
W32/Hunch-C is a new e-mail based worm that uses Microsoft Outlook to spread. It arrives as an attachment to an e-mail featuring the following body text: Tal como te prometi; te envio mi foto en el archivo adjunto..."

When exectued, the worm copies itself to the following Windows directory locations:

C:WindowsSystemThd16.exe;

C:WindowsSystemMsoffice.exe;

and
C:WindowsSystemattachment filename

W32/Hunch-C will then delete up to to five files which have one of the following extensions: XLS, DOC, WAV, DWG, MP3, BAK, CDX, BMP, HTM, HLP, CHM, JPG, CDR, MDB, DBF and ICO.

After doing all this, the worm then displays a pornographic image.


Feedback on this story? Send your comments to Assistant News Editor Edward Hurley

VBS/Chick-C joins a long line of worms that use public interest in celebrities to spread. MyLife in March featured a picture of Bill Clinton. A highly destructive worm a while ago featured Anna Kournikova.

The author of the Shakira worm probably lifted code from Britney-A or used a similar tool kit to create the scripts, said Chris Wraight, technology consultant with Sophos. The worm spreads via e-mail using Microsoft Outlook and through Internet Relay Chat (IRC) networks.

While Shakira has crossed over to the English-speaking world, her namesake worm hasn't. The e-mail message containing the worm is in Spanish. Worms written in Spanish are rare. Most virus messages are written in English, Wraight said.

As of last night, Sophos has received no reports of the worm in the while. They expect any activity it does will be in the Spanish-speaking world.

VBS/Chick-C arrives appearing to be a help file (.chm) attached to the following message:

Subject line: Nuevo video de SHAKIRA!

Message text:

Hola
He visto el nuevo video de Shakira
y me he enamorado de ella.
Esta hermosa mujer es hermosa, es impactante
me ha hecho suspirar y quiero que
igual que yo compartas esta emocion.
Disfrutalo.


Attached file: SHAKIRA.CHM

When the worm is executed, Microsoft's HTML help viewer is opened displaying an HTML page featuring a request to enable Active-X so the Shakira video can run. The HTML document also features lyrics from a Shakira song called "Antologia."

After being executed, the worm copies itself to the Windows directory. It attempts to spread by e-mail using Microsoft Outlook but only sends itself to the first address in the Outlook address book.

The worm also searches drives C:, D: and E: for the presence of a file called MIRC.INI. If Shakira finds the IRC file, the worm creates a SCRIPT.INI file to send copies of the files to other IRC users.

The worm will only execute if Active-X is enabled. It's a good security practice to disable Active-X on machines, Wraight said. Someone, who needs Active-X for a legitimate reason and is sure the file is safe, can always enable it, he said.

Blocking files with the .chm extension at the gateway is another good security practice, Wraight added.

Dig deeper on Security Resources

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close