Sophos researchers report that they have discovered a new email-aware worm that feeds on public interest in the imminent war in Iraq in an apparent attempt to lure unsuspecting users.
The W32/Ganda-A worm, which appears to have been written in Sweden, uses a variety of different email subject lines and message bodies to try and encourage computer users to run its viral attachment.
The worm can use a variety of different subject lines and message bodies, in both English and Swedish, including:
Subject line: Spy pics.
Message text: Here's the screensaver i told you about. It contains pictures taken by one of the US spy satellites during one of it's missions over iraq. If you want more of these pic's you know where you can find me. Bye!
Subject line: GO USA !!!!
Message text: This screensaver animates the star spangled banner. Please support the US administration in their fight against terror. Thanx a lot!
Subject line: G.W Bush animation.
Message text: Here's the animation that the FBI wants to stop. Seems like the feds are trying to put an end to peoples right to say what they think of the US administration. Have fun!
Subject line: Is USA always number one?
Message text: Some misguided people actually believe that an american life has a greater value than those of other nationalities. Just have a look at this pathetic screensaver and then you'll know what i'm talking about. All the best.
"At a time of international crisis it is understandable that computer users will be interested in finding out the latest news from the Middle East, and many may be tempted to share breaking news with their friends and colleagues via email," said Graham Cluley, senior technology consultant for Sophos Anti-Virus. "The author of this virus is exploiting interest in current affairs by deliberately presenting his virus in this way. The message to users is simple: be suspicious of all unsolicited emails."
In a bizarre twist, the author of W32/Ganda-A claims to have a grievance with the Swedish educational system. Hidden inside the virus is the following text:
[WORM.SWEDENSUX] Coded by Uncle Roger in Hõrnsand, Sweden, 03.03. I am being discriminated by the swedish schoolsystem. This is a response to eight long years of discrimination.
"We don't know what Uncle Roger's problem is with the school system in Sweden," continued Cluley. "But whatever his problem is a worm is not an appropriate way to complain about it."
Sophos recommends companies consider blocking all Windows programs at their email gateway. It is rarely necessary to allow users to receive programs via email from the outside world. There is so little to lose, and so much to gain, simply by blocking all mailed-in programs, regardless of whether they contain viruses or not. Sophos MailMonitor for SMTP not only detects known viruses but also contains pro-active threat reduction technology which can help businesses block dangerous filetypes and executable code at the email gateway.
Sophos customers who have kept their anti-virus software up-to-date are automatically protected against W32/Ganda-A. Users of other anti-virus products are recommended to update their software.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.