Sophos, a leading developer of corporate anti-virus protection,
believes the author of the new Winevar worm
(W32/Winevar-A), was inspired by the Association of Anti-Virus Asia
Researchers (AVAR) 2002 conference, held last week in Seoul,
Korea.
The Winevar worm drops the W32/Flcss worm (also known
as FunLove) onto infected machines and spreads via an email with a
subject line of "Re: AVAR(Association of Anti-Virus Asia
Researchers)". Furthermore, Sophos has found that, in an apparent
deliberate attempt to directly harm the anti-virus community, the
Winevar worm attempts to launch a denial of service attack on the
website of US security firm, Symantec.
"Ironically, the Winevar worm author seems to have got his
inspiration from a conference intended to reduce the impact of
computer viruses," said Graham Cluley, senior technology consultant
for Sophos Anti-Virus. "Fortunately for computer users - and for
Symantec - Winevar has not had a major impact, but we advise
everyone to update their anti-virus software in order to protect
against this worm."
The Winevar worm shares code characteristics with the Braid worm (W32/Braid-A,
first seen in early November) which has infected many computer
users across the world. It is likely that both Winevar and Braid
were written by the same virus writer, who it now seems may be
based in Korea.
An interesting side effect of this worm is that it changes file
associations so that all files ending .CEO are treated as if they
are executable. This means a future virus could transmit itself
amongst Winevar victims in the form of a .CEO file.
"Winevar creates the ultimate in dishonest CEOs - infected users
should double check their file associations to make sure they do
not leave this vulnerability open," said Cluley.
Sophos has had protection available against W32/Winevar-A since
25 November. Users of Sophos MailMonitor
for SMTP have been able to prevent the virus from entering
their organisation using pro-active threat reduction technology
before this date.
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.