Press Releases

Browse our press release archive

27 Nov 2002

Korean conference inspires anti-anti-virus virus behaviour - Sophos warns of Winevar worm

Sophos, a leading developer of corporate anti-virus protection, believes the author of the new Winevar worm (W32/Winevar-A), was inspired by the Association of Anti-Virus Asia Researchers (AVAR) 2002 conference, held last week in Seoul, Korea.

The Winevar worm drops the W32/Flcss worm (also known as FunLove) onto infected machines and spreads via an email with a subject line of "Re: AVAR(Association of Anti-Virus Asia Researchers)". Furthermore, Sophos has found that, in an apparent deliberate attempt to directly harm the anti-virus community, the Winevar worm attempts to launch a denial of service attack on the website of US security firm, Symantec.

"Ironically, the Winevar worm author seems to have got his inspiration from a conference intended to reduce the impact of computer viruses," said Graham Cluley, senior technology consultant for Sophos Anti-Virus. "Fortunately for computer users - and for Symantec - Winevar has not had a major impact, but we advise everyone to update their anti-virus software in order to protect against this worm."

The Winevar worm shares code characteristics with the Braid worm (W32/Braid-A, first seen in early November) which has infected many computer users across the world. It is likely that both Winevar and Braid were written by the same virus writer, who it now seems may be based in Korea.

An interesting side effect of this worm is that it changes file associations so that all files ending .CEO are treated as if they are executable. This means a future virus could transmit itself amongst Winevar victims in the form of a .CEO file.

"Winevar creates the ultimate in dishonest CEOs - infected users should double check their file associations to make sure they do not leave this vulnerability open," said Cluley.

Sophos has had protection available against W32/Winevar-A since 25 November. Users of Sophos MailMonitor for SMTP have been able to prevent the virus from entering their organisation using pro-active threat reduction technology before this date.

About Sophos

More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing complete security solutions that are simple to deploy, manage, and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, mobile and network security solutions backed by SophosLabs - a global network of threat intelligence centers.

Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.