Sophos experts have countered Welsh virus writer Simon Vallor's
claims that the viruses he spread were not damaging.
Vallor, 22, is to be sentenced at Southwark Crown Court in
London on Tuesday 21 January for spreading the computer viruses
W32/Redesi,
W32/Gokar and
Admirer. The prosecution claims that over 27,000 computers in 42
countries were infected by his viruses.
But in a newspaper interview published last week Vallor,
a web designer from Llandudno, was reported to have said: "The one
upside I suppose is it didn't have a damaging payload. It wasn't
going out to delete data or overwrite files. It was a nuisance,
there's no denying that but it wasn't damaging. It could have been
worse."
However, an analysis by Sophos experts of the viruses created by
Vallor has found this to be incorrect.
For instance, W32/Redesi-B deliberately
attempts to wipe the user's hard drive of all data on 11 November
2001, displaying the text "Bide ye the Wiccan laws ye must, In
perfect love and perfect trust.".
Users were infected by W32/Redesi-B after receiving an email
which claimed to come from Microsoft technical support, and lured
into running the attachment. The emails could come with a variety
of subject lines including:
"FW: Important news from Microsoft."
"FW: Stop terrorists computer viruses reign."
"FW: Terrorists release computer virus."
"FW: Terrorist Emergency. Latest virus can wipe disk in
minutes."
Contained inside the virus is a message from Simon Vallor to his
intended victims, taunting them that they don't know his phone
number and bragging that his virus was made in Wales:
"When misfortune is enow, wear the blue star on thy brow.
True in love ye must ever be, lest thy love be false to thee. These
words the Wiccan Rede fulfill: An ye harm none, do what ye will.
Rede(c)Si 2001 ... heh, want my phone number too ?!? Sick of all
thes 3rd world gits spreading worms. Time for a bit of Welsh stuff
:)"
"It's clear from the subject lines that Vallor used and the
destructive payload contained within the virus that Vallor was
exploiting people's fear of terrorist cybercrime in the wake of 11
September 2001", said Graham Cluley, senior technology consultant
at Sophos Anti-Virus. "For him to claim that his virus was not
damaging is ridiculous. It was intentionally designed to cause as
much harm to a user's data as possible."
Another virus written by Simon Vallor, W32/Gokar-A, deliberately
attempts to overwrite the main page on the websites of infected
companies. Innocent users visiting the changed web page may find a
copy of the virus is downloaded onto their PC.
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.