IT@TT - Online

New script worm targets horny males

I have ceased to be amazed by what users manage to do. Send the average user an email with "naked" or "star pictures" in the subject line or body and they begin salivating as in the background their PC (more usually data) does the modern equivalent of being burned to the ground!

As a threat assessment and resolution expert, my usual reaction to such news is "Oh No, Not Again!" But there it is. Like its Kournikova worm predecessor this past month, NakedWife (I-Worm, W32/Naked@MM, W32.HLLW.JibJab@mm) too takes advantage of our (usually male) foibles for anything naked.

This new Net Trojan first surfaced at about 1600 GMT on Tuesday, 6 March 01, in the US. It spreads, as usual, through Outlook. And an infected user will email a copy of the worm to every Contact in the Address Book. An infected email as its subject as "Fw: Naked Wife" and the message as "My wife never look like that! ;-) Best Regards, [Your Name]" where [Your Name] is your default signature. There is an attached file, NakedWife.EXE.

As with this, and other worms, clicking on the attachment launches the infector. This displays what looks like a Macromedia Flash Player window. This contains a logo title "JibJab" and displays an infinite-loop "Loading..." message. JibJab (Interactive Marketing) is an online rich media ad developer and has no real or implied association with the virus.

The Player window looks normal. Right-clicking on the window displays the standard Flash file info. But if you click the "About Macromedia Flash..." menu item, you get a shock: "Flash You're are now FUCKED! (C) 2001 by BGK (Bill Gates Killer)" and you are prompted for a confirmation to close the sub-window. And you are really F****d when you click the infected file attachment.

Besides sending a copy of itself to the content of your address book, the worm also targets your data file, including the system files. It deletes all files with .INI, .LOG, .DLL, .EXE, .COM, and .BMP extensions in the Windows and Windows\System folders. This means that once infected your Windows is as good as destroyed.

But we can be thankful for "small mercies" as the worm doesn't make any Registry changes or store a copy of itself for future infecting on your system. The Trojan is written in VBS (Visual Basic Script). And after beginning its death countdown, the Trojan displays "You're now (F-----!) (c) 2001 By BGK (Bill Gates Killer)."

There is no magic bullet solution, except not to click on it. And to immediately upgrade your antivirus' signature files. Updates are available from all major vendors.

Govind Menon
[email protected]

Top

Other Articles